• Font Size:
  • S
  • M
  • L

Article NO. Content

Title:

Directions on Information and Communication Security Management and Control of New Technologies for Associations of Securities and Futures Market  CH

Amended Date: 2024.12.27 
Categories: Information Operations
Article Content Chapter Content Search Article No. Search Amended Article Legislative History Chinese
Article 4     (Risk management of cloud services)
  1. An organization using cloud services shall establish the governing system for use of cloud services, and make plans for and acknowledge the following:
    1. To establish the cloud service management policy subject to review at last once annually.
    2. Roles, duties and responsibilities specific to the responsible entity and relevant entity in the use of cloud services. The responsible entity shall take the role of cloud finance, costs or resource management.
    3. To adopt the risk-based approach to evaluate potential risks and management risks in cloud services. It is advised evaluations shall include:
      1. Mode and scenario of use of cloud services;
      2. Business and data relating to cloud services;
      3. The organization’s requirements on feasibility and exchangeability of cloud services.
      4. The organization’s management capability and experience of cloud services.
    4. For use of cloud services and control and management of related risks, proper diversity of risks shall be maintained. When multiple clouds or other diversity strategies are used, however, increased risks in higher complexity of operation shall also be considered.
    5. If an operation project is outsourced offshore, the requirements of data protection legislation of the jurisdiction where the cloud service provider processes and stores client data shall not be less than those in the R.O.C. In case of high risks, an organization shall take appropriate risk control and management measures.
    6. An organization shall create an adequate monitoring mechanism for risks in use of cloud services, e.g. monitoring cloud resources load, security protection and service availability, to facilitate continued business operation.
  2. The board of directors shall acknowledge and supervise the risks in the organization’s use of cloud services, and ensure to have sufficient resources, expertise and authority for control and management of cloud service risks.
  3. Relevant personnel of the organization shall be ensured to have necessary professional knowledge and skills. Staff trainings shall be provided regularly during the use of cloud services, and validity of the trainings shall be verified. The trainings may cover information security, risk awareness, cloud knowledge and skills, etc. to enhance staff’s capability of introduction, use and management of cloud services. Risk-based approach shall be used as the basis of decision-making and supervision.