|
US$319.00 · In stock
Delivery: <= 3 days. True-PDF full-copy in English will be manually translated and delivered via email.
JR/T 0071.5-2020: Implementation guidelines for classified protection of cybersecurity of the financial industry - Part 5: Audit requirements
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| JR/T 0071.5-2020 | English | 319 |
Add to Cart
|
3 days [Need to translate]
|
Implementation guidelines for classified protection of cybersecurity of the financial industry - Part 5: Audit requirements
| Valid |
JR/T 0071.5-2020
|
PDF similar to JR/T 0071.5-2020
Basic data | Standard ID | JR/T 0071.5-2020 (JR/T0071.5-2020) | | Description (Translated English) | Implementation guidelines for classified protection of cybersecurity of the financial industry - Part 5: Audit requirements | | Sector / Industry | Finance Industry Standard (Recommended) | | Classification of Chinese Standard | A11 | | Classification of International Standard | 03.060 | | Word Count Estimation | 13,140 | | Date of Issue | 2020 | | Date of Implementation | 2020-11-11 | | Issuing agency(ies) | People's Bank of China | JR/T 0071.5-2020: Implementation guidelines for classified protection of cybersecurity of the financial industry - Part 5: Audit requirements
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Implementation guidelines for classified protection of cybersecurity of financial
industry-Part 5.Audit requirements
People's Republic of China Financial Industry Standards
Guidelines for the Implementation of Levels of Cybersecurity Protection in the Financial Industry
Part 5.Audit Requirements
2020-11-11 release
2020-11-11 implementation
Issued by the People's Bank of China
1 Scope...1
2 Normative references...1
3 Audit objectives...1
4 Auditor requirements...1
5 Audit Information Management Requirements...2
6 Audit process requirements...2
7 Audit content requirements...4
References...7
Foreword
JR/T 0071 "Implementation Guidelines for Cyber Security Graded Protection in the Financial Industry" consists of the following 6 parts.
--Part 1.Basics and terminology;
--Part 2.Basic requirements;
--Part 3.Job ability requirements and evaluation guidelines;
--Part 4.Training Guidelines;
--Part 5.Audit requirements;
--Part 6.Audit Guidelines.
This part is part 5 of JR/T 0071.
This part was drafted in accordance with the rules given in GB/T 1.1-2009.
This part was proposed by the People's Bank of China.
This part is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC 180).
Drafting organizations of this section. the Department of Science and Technology of the People’s Bank of China, the Statistical Information and Risk Monitoring Department of China Banking and Insurance Regulatory Commission, China
China Financial Electronics Corporation, Beijing Zhongjin Guosheng Certification Co., Ltd.
The main drafters of this section. Li Wei, Chen Liwu, Shen Xiaoyan, Che Zhen, Zan Xin, Xia Lei, Fang Yi, Zhang Haiyan, Tang Hui, Li Fan, Wang
Haitao, Zhang Lu, Hou Manli, Pan Liyang, Deng Hao, Zhao Fangmeng, Qiao Yuan, Sun Guodong, Liu Wenjuan, Cui Ying, Chen Xuefeng, Ma Chenglong, Du Wei,
Li Ruifeng.
Introduction
The level of cyber security protection is a basic system for the national cyber security assurance work. Important systems in the financial industry are related to the national economy and the people’s livelihood.
It is the key protection object of national network security, so it needs a series of grade protection standard systems suitable for the financial industry as the support to standardize and
Guide the implementation of hierarchical protection in the financial industry. With the widespread application of new technologies such as cloud computing, mobile internet, Internet of Things, and big data, the Golden
Financial institutions are continuing to promote the transformation of IT architecture in accordance with their own development needs. In order to adapt to the new technology, new application and new structure, the financial bank
For the development of industrial network security level protection, JR/T 0071 is now revised. The revised JR/T 0071 is based on the national cyber security level
Protect relevant requirements, provide methodology, specific construction measures and technical guidance for the financial industry’s network security construction, and improve the financial industry’s network
The network security level protection system is better adapted to the application of new technologies in the financial industry.
Guidelines for the Implementation of Levels of Cybersecurity Protection in the Financial Industry
Part 5.Audit requirements
1 Scope
This part stipulates the requirements for the implementation of auditing of the level of network security protection of financial institutions.
This part is applicable to guide financial institutions, evaluation institutions, and financial industry cybersecurity level protection authorities to implement cybersecurity level protection.
Protect audit work.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document.
For undated reference documents, the latest version (including all amendments) is applicable to this document.
GB/T 25058 Information Security Technology Network Security Level Protection Implementation Guide
3 Audit objectives
Through the network security grade protection audit, obtain relevant evidence of the financial institution’s network security grade protection work, and conduct customer review on it.
To determine the level of network security protection in various financial institutions, such as rating, filing, construction rectification, self-examination, security inspection, etc.
Whether the requirements of network security level protection are followed in the work.
4 Auditor requirements
4.1 Auditing principles
Auditors should follow the following principles during the audit process.
a) Ethical behavior. Auditors should be honest, upright and keep the secrets of the audited organization.
b) Fair expression. Auditors should report the audit results truthfully and accurately.
c) Professional competence. Auditors should have the necessary auditing competence.
d) Independence. Auditors should be free of prejudice, have no conflicts of interest with the audited institution, and maintain an objective mind during the audit process.
To ensure that the audit findings and conclusions are only based on the audit evidence.
e) Evidence-based. audit evidence should be based on available information samples.
4.2 Ability requirements
Auditors who implement graded protection audits for the financial industry should have the following capabilities.
a) Familiar with the relevant policies and regulations of network security level protection.
b) Correctly understand the network security level protection standard system and main standard content.
c) Familiar with the whole process of grade protection work, including grading, filing, construction rectification, self-examination of evaluation, and safety inspection
Requirements.
d) Master the basic knowledge of network security, and be familiar with audit methods and procedures.
e) Have the ability of comprehensive analysis and judgment, and be able to grasp the objectivity and accuracy of audit conclusions as a whole. Have strong textual expression
ability.
4.3 Personnel training
Auditors who implement the cybersecurity level protection audit of the financial industry should participate in the organization of the financial industry cybersecurity level protection authority
Relevant standard training to master the various requirements for the development of network security level protection in the financial industry.
4.4 Personnel records
Auditors should submit the latest records of their education, work experience, training and audit experience, as the audit agency to choose when arranging audit work.
The basis for selecting auditors.
5 Audit information management requirements
5.1 Confidentiality requirements
Audit institutions are responsible for the confidentiality of information obtained during the audit process regarding the commercial, technical, and audit process of financial institutions.
Auditors should identify whether confidentiality is required for all information obtained or generated during the audit in accordance with the requirements of the audit agency. auditors
And related personnel should not spread, spread, or leak confidential information in any form or excuse.
When the law requires confidential information to be provided to a third party, unless otherwise specified, the audit institution shall provide the information required by the law in advance.
Inform the financial institution of the information. When it is necessary to provide confidential information to other agencies (such as public security departments, confidential departments), the audit agency should take this action
Inform the financial institution.
Audit institutions shall implement confidential management of information on audit activities, and configure and use corresponding security processing equipment and facilities as required. An
Full processing equipment and facilities are mainly used for the establishment, custody, storage, reproduction and final disposal of classified information.
5.2 Integrity requirements
When media containing financial institution information (such as paper documents or CDs) are physically transported, reliable transmission channels should be used to prevent unauthorized transmission.
Access, information tampering, improper use or destruction. When necessary, special controls should be taken to protect key information from unauthorized disclosure or
Tampering, such as manual delivery, use of tamper-proof packaging, etc.
Appropriate protection should be given to the information contained in the electronic message transmission to prevent unauthorized access and tampering of the information, such as by adding
Enforce protection by means of encryption, hashing or electronic signature.
6 Audit process requirements
6.1 General
6.1.1 General requirements
The audit institution shall prepare an audit plan for each audit as a basis for reaching agreement with the financial institution on the schedule and implementation of audit activities.
according to. The audit institution shall communicate with the financial institution on the audit plan in advance and agree on the audit date.
Audit institutions should formally establish an audit team, clarify the tasks of the audit team, and inform the financial institution. The audit institution should request the audit team.
a) Inspect and verify the rating, filing, construction rectification, self-examination, and safety of financial institutions related to cybersecurity level protection work
Check relevant documents and records.
b) Make sure that the above aspects meet all the requirements of the financial industry's graded protection documents and standards.
c) Make sure that financial institutions have effectively established, implemented, and continued to carry out various activities of cyber security level protection work.
d) Inform the financial institution of any inconsistencies with the requirements so that they can take corrective measures.
The audit institution shall provide a written report for each audit. The audit team can provide suggestions for improvement, but should not suggest specific solutions.
For non-conformities found in the audit, the audit institution shall require the financial institution to analyze the reasons within the prescribed time limit and explain that it is necessary to eliminate the non-conformities.
The specific corrective measures that have been taken or planned to be taken in compliance with the situation.
Audit institutions should review the corrective actions submitted by financial institutions to determine whether they are acceptable.
6.1.2 Audit Team
The audit institution shall formally establish an audit team and provide it with corresponding working documents. The audit institution should clearly define the tasks of the audit team
Financial institutions know. Tasks should include checking the rating, filing, construction rectification, self-examination and safety inspection of financial institutions, and confirming their
Meet relevant requirements.
6.1.3 Audit scope
The audit team shall, in accordance with all applicable audit requirements, carry out the protection of the cyber security level of financial institutions included in the limited scope.
audit. The audit institution shall ensure that the relevant equipment and related equipment and
Components.
6.1.4 Audit report
The audit institution shall convene a meeting with the audit team and the financial institution manager before leaving the premises of the financial institution, either in writing or verbally,
Explain to the financial institution the findings of the compliance audit during the audit process, the deficiencies of the financial institution’s work in the cybersecurity level protection process, and rectification
Change requirements.
The audit institution should request the audit team to provide an audit report, which includes the financial institution’s compliance with the requirements of all cybersecurity protection work.
Compliance audit findings.
6.2 Audit preparation
The audit institution should form an audit team and assign audit tasks. The audit team leader should prepare an audit plan. The members of the audit team should
Compile an applicable checklist according to the conditions.
Audit institutions should require financial institutions to make necessary preparations for the implementation of audits. These preparations include. providing documents to be inspected to
And access areas, records and personnel.
Before the on-site audit, financial institutions should provide at least the following information.
a) The overall description file of the graded protection object.
b) Work certification documents such as grading, filing, construction rectification, evaluation self-examination, safety inspection, etc. of the graded protection objects.
6.3 On-site audit
6.3.1 Obtaining audit evidence
During the audit process, the audit team should collect information related to audit standards based on the audit content, including grading, filing, construction rectification,
Process information and result information related to activities such as evaluation self-inspection and safety inspection. At the level of financial institutions, there are a large number of protection objects, a wide range, and a
In the case of scattered, appropriate sampling methods should be used for collection and verification. Only verifiable information can be used as audit evidence and recorded
record.
6.3.2 Forming an audit issue...
|