|
9
|
Systems Development and Maintenance (CC-19000, semi-annual audit)
- The information security requirements shall be included in the analysis and specifications when an application system is being planned and analyzed.
- Whether inputs are verified to confirm their accuracy.
- Legal copyrighted software shall be used.
- Management of supplier of outsourced work:
- The company and the outsourced information service provider shall enter into a contract covering: contract term, scope of services, delivery date of services, requirements on service level, regulations for change of services, standards for acceptance of services, procedures for reporting of information and communication security incidents and response actions, provisions of right to audit information service providers, regulations for contract assignment or agreement on subcontracting, confidentiality provisions, penalty and damage compensation provisions, dispute resolution procedures, breach of contract, terms for contract termination, and handling, guarantee, rights and obligations after contract termination.
- The securities firm shall assess concentration of information service providers, including evaluating the capabilities of information service provider, taking appropriate risk management measures, ensuring the quality of outsourced operation, and maintaining proper diversity of suppliers of outsourced operation to control operational risks.
- An information service provider shall provide security test certification (e.g. mobile app information securities tests, source code test, and vulnerability assessment), and ensure the system or program delivered contains no malware or backdoor program, and the programs available on the Internet shall pass code scanning or black box testing.
- The company shall establish regulations governing the operation after termination, rescission or cessation of the outsourcing relationship with the information service provider.
- The outsourced information service provider shall disclose the sources of components of third-party programs and license certification.
- The company shall manage the information service provider’s access and properly control the general right to access computers.
- The company shall perform risk assessments in the event of changes to information service provider’s services.
- With respect to corporate information and assets involved in the outsourcing relationship with the outsourced information service provider, the company shall ask the provider to return all the information upon termination, rescission or cessation of the outsourcing relationship, and ensure the information is destroyed or forwarded to other information service providers, and demand the information service provider continue to keep the information in confidentiality.
- If the outsourced information service provider discovers loopholes in the programs, learns that the version becomes outdated, or other securities firm’s application system using the same services are experiencing failure or abnormalities, the provider shall find out the cause as soon as possible and voluntarily inform and provide response measures.
- The service specifications of outsourced information system shall include hardware specifications, software version, changes to operation environment, underlying structure of operating system, and compatibility of systems and programs, as well as the requirement to maintain the outsourced provider’s service level and horizontal communication channels.
- When a completed program requires maintenance, it must be carried out in accordance with formally approved procedures.
- All documents and handbooks shall be properly maintained and controlled.
- Specially appointed personnel shall be responsible for maintaining application systems.
- Management of changes to application systems:
- Files that contain programs, data, and job control commands for formal and test operations shall be stored separately.
- When a program is modified, its documentation shall be promptly updated.
- The company shall regularly (at least semi-annually) scan its information system for vulnerabilities. When potential vulnerabilities are identified, it shall evaluate the associated risks or install software patches and retain a record (applicable to securities firms placing orders online, but not applicable to those doing so via telephone or in the traditional manner).
- Source code security regulations (applicable to securities firms placing orders on the Internet, not those placing voicemail or traditional orders):
- Malware and other security holes shall be avoided in a program.
- A program shall use a comprehensive validation mechanism that is both appropriate and valid to ensure completeness.
- A corresponding updated version of a program shall be made available in the event of an update to the library cited.
- A program shall conduct security checks and provide a protection mechanism against injection attacks in respect of character strings entered by users.
- Where a mobile application developed by an outsourcer involves transmission of sensitive data (such as a customer's account password or transaction data etc.), the company shall check and verify whether the parties to which the data are transmitted are appropriate and shall retain relevant records.
- The provider of a program shall be requested to comply with the security measures in the preceding five paragraphs ((a), (b), (c), (d), €) if no source code of the program is available.
- Mobile application security control (applicable to securities firms placing orders on the Internet, not those placing voicemail or traditional orders):
- Launch of a mobile application:
- A mobile application shall be launched in a mobile application store or on a mobile application website with a reliable source. The sensitive information to be accessed, mobile device resources, and proclaimed rights and purposes shall be specified upon said launch.
- The name, version and download location of a mobile application shall be provided on the official website.
- A fake mobile application detection mechanism shall be in place to protect customers’ rights and interests.
- Conformance of authority required for a mobile application to services offered shall be ascertained before launch. The initial launch or a change of authority is subject to consent of the data security and legal compliance units and shall be documented, to facilitate general assessment as to whether the duty to notify under the Personal Data Protection Act is satisfied.
- Protection of sensitive information:
- When a mobile application transmits and stores sensitive data, a certification, hash or encryption mechanism shall be in place to ensure safe transmission and storage, and the data in shall be appropriately de-identified when in use. Relevant access logs shall be protected to prevent unauthorized access.
- A risk alert shall be issued to users if a detection mobile device is allegedly unlocked (such as by rooting, jailbreaking, USB debugging etc.) upon activation of a mobile application.
- Mobile application testing:
- In respect of mobile applications used by investors, data security testing shall be conducted by a third-person testing laboratory accredited by the Taiwan Accreditation Foundation (TAF), and shall be passed, before initial launch and each year. Such testing shall cover items listed in the guidelines for vetting the security of mobile applications published by the Mobile Application Security Alliance, the testing unit commissioned by the competent authority in charge of the industry concerned. If it is necessary to update the launch within a year after laboratory testing is passed, material updates are subject to outsourced or self testing prior to each launch. Material updates refer to functional changes to “trading order,” “account inquiries,” “identification” and “material customer rights and interests.” The testing is based on OWASP Mobile Top 10 and shall be documented.
- The company shall have in place a reexamination mechanism with regard to the test reports provided by a third-person testing laboratory, to ensure the testing items and contents are consistent. Such reexaminations shall be documented.
- The core system shall show only a short error message and code on the risk evaluation user page, without detailed error messages.
- “Source code scanning” security check shall be conducted prior to availability of the core system providing services enabling online trading orders and upon system update.
|