• Font Size:
  • S
  • M
  • L

Chapter Content

Title:

Reference Guidelines on the Supply Chain Risk Management of Service Enterprises in Securities and Futures Markets  CH

Announced Date: 2024.11.07 (Articles 1, 2, 3, 4, 6, 7, 8, 11, 12 amended,English version coming soon)
Current English version amended on 2022.04.26 
Categories: Information Operations
   Chapter 2 Selection of Information Service Suppliers
Article 4    (Screening of Information Service Suppliers)
  1. An organization shall assess the operational capability of an information service supplier, adopt appropriate risk control measures, ensure outsourcing quality, and pay attention to appropriatelydiversifyinformation service suppliersto control operational risk. If there are doubts about overconcentration (including reliance on a single information service supplierby the organization or the market as a whole), the risk assessment shall be conducted in the selection of information service suppliers, and the results of the assessment shall be reported to the rank of general manager for approval.
  2. The standards for the selection of information service suppliers by an organization shall comprise the following and be documented and recorded for reference:
    1. Financial capability, management capability, professionalism, maintenance and operation capability, and track records of the information service supplier.
    2. A cloud computing service supplier shall have in place sound cloud computing information and communication security measures (provide a description of the measures and their implementation) or be third party-certified (e.g., CSA STAR, ISO 27017, ISO 27018).
    3. An information service supplier of a type 1 organization shall have in place sound information and communication security measures (provide a description of the measures and their implementation) or be third party-certified (e.g., ISO 27001).
Article 5    (Preparation and Execution of a Nondisclosure Agreement)
    Should information assets be exchanged in the course of selection of information service suppliers, an organization shall prepare a nondisclosure agreement properly and execute it before the exchange of classified information pertaining to the product or service being procured.
Article 6    (Request for Proposals)
    In the event of a large procurement specified by a type 1 organization, the organization shall request an information service supplier to present a proposal and ascertain whether the content of the proposal meet the requirements of the procurement or not. The proposal shall incorporate the following:
  1. the product/service to be procured by the organization
  2. the organization’s information security requirements with which the information service supplier shall comply, e.g., the organization’s information security policy
  3. the information service supplier’s project management capability