|
1
|
Risk Assessment and Management (CC-11000, applicable to securities firms placing orders via the Internet, but not applicable to those doing so via telephone or in the traditional manner; annual audit)
- All of the company's information assets within the scope of applicable information security risk and all owners of such assets shall be identified.
- The acceptable level of information security risk for each of the company's operations shall be determined.
- The company shall conduct information security risk inspections at least once per year and keep the relevant records. Significant risks and control and management measures relating to operation (including risks in new products, new technologies and information systems) shall be covered by the risk assessment to ensure validity of company policies, procedures and control and management measures.
- The core system should be examined with regard to tolerable time period for interruption, recovery time objective (RTO), and recovery point objective (RPO), and the tolerable time period for interruption to the core system shall be determined based on the market share of brokerage business and percentage scale of clients who are natural persons.
|