|
10
|
Business Continuity Management (CC-20000, semi-annual audit)
- Failure recovery procedures (e.g. backup and recovery plans for computer equipment, communications equipment, power systems, databases, and computer operating systems etc.) shall be clearly formulated and implemented, and records shall be made.
- Failure recovery procedures shall be tested periodically; after testing, a review meeting shall be convened to consider ways to improve in response to deficiencies and a record thereof shall be retained.
- Securities brokers shall have backup measures in place for their trading servers and establish remote backup server rooms according to its information security level.
- The company shall formulate a business continuity plan (covering such matters as activation conditions, participating personnel, emergency response procedures, backup procedures, maintenance schedules, education and training, descriptions of job duties, response plans of outside entities with which the company does business, and contract suitability), maintain measures necessary for the plan, and to prescribe the key operations and related impact analyses, evaluate the degree of impact caused by interruption to the core system, and use the core system’s recovery time objective (RTO) and recovery point objective (RPO) as the basis of recovery of the core system, backup planning and implementation of recovery work, followed by business continuity operation exercise, that will take place regularly, according to its information security level.
- The company shall adopt an information security reporting mechanism (e.g. formal reporting procedures and appointed contacts for information security incident reports). In the event of information security and service irregularities relating to information systems, the company shall apply the Operational Guidelines on Reporting of Information and Communication Security Related Events in Securities and Futures Markets and the Scope, Reporting Procedures and Other Requirements for Securities Firm’s Reporting of Material Information Security Events, take appropriate corrective procedures, and retain related records.
- Any theft, alteration, damage, loss or divulgence of, or other information security incident involving, personal information shall be immediately reported by the company to the TWSE (TPEx or Taiwan Securities Association) in writing, to be advised to the competent authority.
- The company shall establish clear operational procedures to defend and respond to distributed denial-of-service attack (DDoS).
- The company shall proceed with the following information security matters:
- designate personnel and departments to bring together and coordinate and liaise with all related departments;
- periodically evaluate core operating systems and equipment, take appropriate measures in response to evaluation results, and make a report to the board of directors, to ensure capability for business continuity and operational resilience;
- disclose in sustainability reports, annual reports, or financial reports or on the company website the resources required for the company to continue with the operation of core operating systems and equipment within the year and the relevant implementation of annual budgets or education and training programs etc.
- A company shall identify risk scenarios, and formulate, based on different risk scenarios, procedures for response, disaster risk reduction or recovery measures applicable to various systems in the event of abnormality or interruption of information operation caused by disaster.
- In case of interruption to the core system’s services, the core system shall be replaced by backup equipment or other method to provide services within the tolerable time period.
|