• Font Size:
  • S
  • M
  • L

Amended Article

Title:

Reference Directions for Information Operation Resilience of Service Providers in Securities and Futures Markets  CH

Amended Date: 2025.02.13 
Categories: Information Operations
Article Content Chapter Content Search Article No. Search Amended Article Legislative History Chinese
Article 2     The organizations governed by these Directions include securities firms, futures commission merchants, securities investment trust enterprises and securities investment consulting enterprises. These organizations are grouped in two categories, as described below:
  1. Category 1:
    2. Organizations that appoint the Chief Information Security Officer in accordance with Article 36-2 of the Regulations Governing the Establishment of Internal Control Systems by Service Providers in Securities and Futures Markets.
  2. Category 2:
    3. Organizations not in Category 1.
  3. For Taiwanese subsidiaries or branches of a foreign business group whose information security, business continuity, or operation resilience management policies are controlled and established by its foreign parent company or head office, if their parent company or head office has established or created relevant control measures with better regulations, these regulations shall govern. If otherwise, local laws and regulations shall govern.
  4. Unless otherwise specified below, the following reference directions cover the compliance matters applicable to the organizations in both Categories 1 and 2.
 Info
Article 8     An organization shall create the backup and backup mechanism based on the results of BIA:
  1. An organization shall establish an adequate data backup mechanism based on the system characteristics and recovery point objective (RPO), considering backup frequency, type of storage media (optical disk, external drive, magnetic tapes), type of data (virtual DSM, source code, database, configuration files, etc.), type of backup (full backup, incremental backup and differential backup), method of backup (network synchronization, network asynchronization and offline backup).
  2. When establishing the data backup mechanism, an organization is advised to consider the “3-2-1 backup rule”.
    1. Create at least three backup copies.
    2. Store backup copies separately on two different storage media.
    3. At least one copy is stored remotely.
  3. An organization shall implement proper protection measures with regard to confidential and sensitive data.
  4. An organization shall establish the adequate system backup structure based on the system characteristics, needs of business unit and recovery time objective (RTO), such as mirror site, hot site, warm site or cold site.
  5. As part of its planning of backup and backup mechanism, an organization shall consider data traffic, backup network equipment, backup line, backup telecommunication service provider, and backup information security protection equipment.
  6. An organization shall periodically examine the on-site and remote system backup mechanism and on-site and remote data backup mechanism of core system to see if they satisfy the needs.
 Info
Article 12     An organization shall perform exercise designed for various scenarios and business conditions and may consult the Core System Back-up Exercise Reference Procedure attached to proceed with each stage of inspection such as making preparations, performing exercise, and conducting post-exercise reviews, to confirm an effective operation of exercise and test procedures.
  1. An organization shall design exercise scenarios based on the identified risk scenarios that may cause interruption to core business (including natural disasters, man-made disasters and information and communication security incidents). It is advised that the organization perform exercise in regard to all scenarios or by turns to some of the scenarios.
  2. An organization shall perform operations based on scenarios of disasters or accidents, considering incorporating staff responsible for core system recovery, personnel for performance of core business and suppliers required for recovery. It shall have a plan for system quantity, size and levels (dedicated server, virtual hosting, middleware, etc.) needed for the exercise.
  3. Prior to exercise, an organization shall identify possible risks (e.g. errors or losses of formal data that may be caused during the exercise, decreased information protection level that may be caused by the exercise, damage to client rights that may be caused by the exercise), and prepare protection measures in advance.
  4. Exercise shall cover verification of standard operational procedures created for various core systems (including but not limited to monitoring, tiered exercises, reporting, response and recovery).
  5. An organization shall perform regular exercise and verify feasibility of its core system every year, and make plans for on-site and remote system backup exercise, on-site and remote system reconstruction exercise (for system without backup), or on-site and remote data backup restorage tests based on needs to ensure the staff’s familiarity and effectiveness of the procedures, with the records of these exercises to be retained.
  6. During remote system backup exercise, Category 1 organizations shall incorporate verification of actual business operation to validate internal resource arrangement and labor force deployment, coordination of external partners and adjustment and interfacing of information network on which minimum acceptable service level relies can effectively operate at all key moments. Category 2 organizations are encouraged to take the same action.
  7. An organization shall convene a review meeting after the exercise to confirm whether the recovery mechanism and results of exercise have met the recovery time objective (RTO) and recovery point objective (RPO) requirements established by the organization, and examine the core system to see if the existing on-site and remote system backup mechanism and on-site and remote data backup system meet the needs of core business.
 Info
Article 14
  1. When the core system is outsourced, an organization shall ensure, based on the scope and characteristics of outsourced services, the recovery level of the core system can meet the recovery time objective (RTO) and recovery point objective (RPO) of the system in order to support the core business for recovery to the minimum acceptable service level after an operational disruption to a supplier due to the following reasons. The organization shall further require that the supplier perform exercise either in collaboration with the organization or by itself to validate feasibility of the core system.
    1. disruption due to a natural disaster, man-made disaster, or information and communication security incident
    2. an unexpected breakdown of or alteration to equipment
    3. an adjustment to a function of or a material structural change to the system
    4. product end of life, with no more technical assistance and services offered and the product being no longer usable
  2. An organization shall include the above requirements on business continuity management in the outsource contract.
 Info