• Font Size:
  • S
  • M
  • L

Article NO. Content

Title:

Reference Guidelines on the Protection of the Information and Communication Systems of Service Enterprises in Securities and Futures Markets  CH

Announced Date: 2024.01.09 (Articles 15 amended,English version coming soon)
Current English version amended on 2022.04.26 
Categories: Information Operations
Article Content Chapter Content Search Article No. Search Legislative History Chinese
Article 15     (Management of Identify Verification)
  1. After logging in the information and communication system with a default password, a user shall immediately request to change the password to continue.
  2. Information pertaining to the identity verification of the information and communication system is not transmitted in cleartext.
  3. The information and communication system is equipped with an account lockout mechanism. No further login to the same account or application of the validation failure mechanism developed by an organization at least within 15 minutes is allowed after three failed identity verification attempts in respect of an account login. In the event of an electronic transaction, a login failure incident shall be recorded, the login account shall be locked out, and the connection shall be disconnected, after three failed attempts to enter the password. When an unlock application is processed, the precise identity shall be verified, and a relevant record kept, before the system can be unlocked.
  4. When a password is used for verification, the lowest password complexity shall be prescribed; restrictions on the maximum and minimum number of days a password may be used shall be imposed.
  5. When a password is changed, the new password at least may not be the same as the previous three passwords used.
  6. With regard to the measures listed in the preceding two paragraphs, regulations set forth by an organization may apply to non-internal users.
  7. The identity verification mechanism of a core system shall prevent logins of automated programs or attempted password changes. It is advisable for a non-core system to prevent logins of automated programs or attempted password changes.
  8. The password reset mechanism of a core system shall, upon re-confirming the identity of a user, send a one-time time-sensitive token (such as network connection or one-time password (OTP) to the registered email box or mobile phone of the user) or adopt other identity verification method. It is advisable for a non-core system to have an identity verification method in place after the password is reset.