• Font Size:
  • S
  • M
  • L

Chapter Content

Title:

Reference Guidelines on the Supply Chain Risk Management of Service Enterprises in Securities and Futures Markets  CH

Announced Date: 2023.11.13 (Articles 4, 7, 10 amended,English version coming soon)
Current English version amended on 2022.04.26 
Categories: Information Operations
Article Content Chapter Content Search Article No. Search Legislative History Chinese 
   Chapter 1 General Provisions
Article 1    (Purpose)
    For the purpose of assisting securities firms, futures commission merchants, and securities investment trust and securities investment consulting enterprises in managing the risk of the information service supply chain, these reference guidelines on supply chain risk management are establisheddraftedto address issues concerning the selection and management of, and termination and rescission of contracts with information service suppliers in accordance with the issues mentioned within the "Financial Data Security Action Plan" published by the Financial Supervisory Commission concerning the enhancement of the management mechanisms such as risk assessment and audit,etc., for financial industry information and communication systems suppliers and cross-institutional information services.
 Info
Article 2    (Applicability and Parties Governed)
    Parties governed by these guidelines include securities firms, futures commission merchants, securities investment trust enterprises and securities investment consulting enterprises and are divided into two types as below:
  1. Type 1:
    1. organizations appointing a chief information security officer in accordance with Article 36-2 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets
    2. tiers 1, 2, and 3 securities firms in the Establishing Information Security Inspection Mechanisms for Securities Firms – Schedule for Required Measures under Tiered Protection
    3. tiers 1, 2, and 3 futures commission merchants in the Establishing Information Security Inspection Mechanisms for Futures Commission Merchants – Schedule for Required Measures under Tiered Protection
  2. Type 2:
    3. non-type 1 organizations
  3. If the data security management policy of a Taiwan subsidiary or branch of a foreign group is controlled and established by the foreign parent company or head office, it should follow the relevant control measures established or set up by the parent company or head office prevail if they provide for better regulation; if no such measures are in place, the policy shall be in accordance with the Taiwan laws and regulations.
  4. The reference guidelines below address matters to be observed by types 1 and 2 organizations unless otherwise specially remarked.
 Info
Article 3    (Definitions)
  1. Information technology outsourcing:
    2. A situation where an organization outsources information and communication services in whole or in part to software and hardware suppliers, maintenance and operation contractors, and cross-institutional partners outside the organization.
  2. Information asset:
    3. An asset pertaining to the processing of information, including hardware, software, data, documents, and personnel, etc., such as information of the operating system, applications, and other software of a server or a user’s computer.
  3. Information and communication system:
    4. A system used for collecting, controlling, transmitting, storing, circulating, deleting information or otherwise processing, using, and sharing information.
  4. Information and communication service:
    5. A service relating to the collection, control, transmission, storage, circulation, erasure, or other processing, use, or sharing of information.
  5. Cloud computing service:
    6. A flexible, scalable, and self-operatable service available to users for the purpose of sharing computing resources through network technology.
  6. Trade secret:
    7. A method, technology, manufacturing process, prescription, program, design, or other information that can be used in production, sale, or operation, meeting the following requirements:
    1. information not known to people whom such type informationcommonly involves
    2. information of an actual or potential economic value on account of its secrecy
    3. information for which everyone has taken reasonable measures of confidentiality
  7. Access:
    8. Various ways of accessing information assets, including acquisition, use, safekeeping, inquiry, revision, adjustment, destruction, etc.
  8. Project officer:
    9. The project manager, head of the department in charge of the particular business, or person designated thereby.
  9. Security by design:
    10. The process of incorporating the concept of information and communication security into a service or product during its inception. Security requirements are listed, security risks identified, and control measures implemented during the design stage of the development process, as the basis for the verification of security functions to ensure a secure life cycle of the software.
  10. Privacy by design:
    11. The process of incorporating the concept of privacy protection into a service or product during its inception. Privacy protection requirements are listed, relevant risks identified, and control measures implemented during the design stage of the development process, as the basis for the verification of security functions.
  11. Information and communication security event
    12. An event where a system, service, or network is found upon evaluation to show signs of a possible breach of the information and communication security policy or failure of a protective measure, which impacts the operation of the information and communication system, constituting a threat against the information and communication security policy.