1.

Performance Management of IT Systems
 

(1)

Establishment of thresholds and measures to be taken in response
Manage the threshold for each IT resource in four stages (normal → caution → alert → serious), and review the need to expand computer resources during the “caution” stage while immediately expanding in the “alert” and “serious” stages.

(2)

Analysis and forecast of inflow at large-scale events
Establish standards that define large-scale events for each financial company. Report customer demand forecast and processing capacity verification results to the CIO in the event planning stages. Also prepare for events by securing spare equipment and inspecting emergency expansion systems, among others.

(3)

Preparation of emergency measures for performance management
If it is difficult to address an increase in usage by expanding computing resources, develop alternative contingency measures, such as implementing mass access control, to prevent system paralysis and service interruption. Additionally, establish systems to enable the immediate expansion of computer resources, such as CPU and memory.

(4)

Securing a foundation for performance management, such as internal organization and regulations
Establish an organization unit in charge of performance management of the overall IT system. Additionally, develop and implement internal regulations that outline performance management procedures and define the authority of such unit in charge.

(5)

Establishment of an internal reporting system for performance management
If the threshold of computing resources reaches the “alert” or “serious” stage, conduct an analysis to identify the cause of such event. Promptly prepare and submit to the CIO a performance management report, which should include a remediation plan.
 

2.

Establishment and Operation of Emergency Plans for the IT Systems
 

(1)

Enhancement of effectiveness of emergency training and feedback system
Conduct disaster recovery mock training for the entire core businesses at least once every five years. Remediate any deficiencies discovered as a result of the training to ensure business continuity, among other aspects.

(2)

Expansion of infrastructures for disaster recovery centers
Secure the infrastructure for disaster recovery centers, including database and servers, and require the establishment of telecommunication lines with key external organizations so that core functions can be executed through disaster recovery centers even when the main data centers are paralyzed.

(3)

Prevention of and preparation for IT center fires
Establish reporting, initial response and evacuation procedures for each situation to ensure business continuity in case of a fire in the IT center.

(4)

Determination of core businesses and specification of relevant departments 
When selecting core businesses, consider the results of a company-wide operational risk or impact analysis. Include the consultations, assessments and reporting systems of relevant departments per each work sector in the procedures for selecting core businesses.

(5)

Inspection of measures to ensure business continuity and establishment of relevant systems
Facilitate access to materials related to business continuity measures, such as user manuals and contact information, by maintaining booklets or documents in advance or by establishing a disaster recovery system for data.
 

3.

Program Oversight
 

(1)

Strengthening of third party verification and control functions
Specify procedures for registration, modification and destruction in internal regulations, as well as mechanisms for verifying legitimacy. Assign the verification of such legitimacy to a separate organization comprised of experienced IT developers.

(2)

Strengthening of testing capacities
Set up a testing environment similar to one’s own operational system for conducting availability (load) tests and establish an internal organization unit in charge of such testing. Implement an automated test solution.

(3)

Distribution strategy for stability of IT operations
Mandate the distribution of programs when there is minimal customer log-in traffic to minimize damage in the event of any error in the distributed program.

(4)

Strengthening of management and inspection of program controls
Conduct a quarterly inspection, led by an internal auditor, to ensure compliance with control procedures during the development and testing stages, such as compliance with procedures for program registration, modification and destruction.

(5)

Strengthening of internal training on program control procedures
Establish training programs for new employees and those who do not comply with program control procedures, covering (i) program registration, modification and destruction mechanisms; (ii) program testing procedures; and (iii) procedures on the application and distribution of operational systems, at least once a year.