• Font Size:
  • S
  • M
  • L

Chapter Content

Title:

Reference Guidelines on the Supply Chain Risk Management of Service Enterprises in Securities and Futures Markets  CH

Announced Date: 2024.11.07 (Articles 1, 2, 3, 4, 6, 7, 8, 11, 12 amended,English version coming soon)
Current English version amended on 2022.04.26 
Categories: Information Operations
   Chapter 3 Management of Information Service Suppliers
Article 7    Safety Control of Information Service Supplier Agreements
  1. After an organization selects an information service supplier, the parties shall agree on and confirm the content of the agreement. The agreement shall incorporate the following:
    1. Basic contractual requirements
      1. term of the agreement
      2. scope of service
      3. delivery date of the service
      4. service standard
      5. provisions on the change of service
      6. standards for acceptance testing of the service
      7. procedures for handling an information and communication security event, including the requirement that the engaged contractor take the initiative to notify the principal promptly should such event occur
      8. clauses giving the organization rights to audit the information service supplier, including, within the scope of outsourcing,the information service supplier consents that a competent authority or the Central Bank may obtain relevant data or reports and conduct financial examinations or may order it to provide related data or reports within the prescribed time limit
      9. provisions on the assignment of the agreement or consent to subcontracting
      10. confidentiality clause
      11. penal provisions and damages clause
      12. dispute resolution procedures
      13. breach of contract clause
      14. provisions on termination, including material grounds for termination and clauses entitling a competent authority to give notice of termination or rescission in accordance with the contract
      15. consequences of termination
      16. warranty
      17. rights and responsibilities
    2. Requirements for the information service supplier’s products and services
      1. An organization shall specify expressly the intellectual property rights in the IT-outsourced service or product.
      2. An organization shall specify expressly whether subcontracting of the IT-outsourced service or product to other suppliers is permitted. If it is permitted, the information service supplier shall provide the subcontracting plan and obtain the organization’s approval before proceeding with the subcontracting.
      3. A type 1 organization shall specify expressly the requirement that security by design be incorporated into the service or product being procured during its inception. The security by design mechanism shall include, in respect of the service and product, the protection of classified information, authorization and authentication, security update, etc.
      4. A type 1 organization shall specify expressly the requirement that privacy by design be incorporated into the service or product being procured during its inception.
    3. Where the scope of service involves the development, maintenance, and monitoring of the information and communication system, an organization shall expressly require the information service supplier to comply with the Reference Guidelines on the Protection of the Information and Communication Systems of Service Enterprises in Securities and Futures Markets.
    4. Where the scope of service involves the use of the cloud computing service, an organization shall expressly require the information service supplier to comply with the Securities and Futures Market Related Association Emerging Technology Information Security Control Guidelines.
    5. Requirements for information security of the information service supplier
      1. An organization shall specify expressly the information security requirements, Personal Data Protection Act, other applicable laws and regulations, and confidentiality obligations with which the information service supplier shall comply.
      2. An organization shall specify expressly its role and responsibilities and those of the information service supplier in regard to information security within the scope of IT outsourcing.
      3. An organization shall specify expressly that the information service supplier shall provide certification of security testing such as mobile application security checks, source code analyses, vulnerability scans, etc. and shall ensure the system or program delivered is free of malicious programs and backdoors. Programs installed on the Internet shall pass code scanning or black box testing.
      4. An organization shall specify expressly that the information service supplier be required to present certification of the sources and licences of the components of third-party programs.
      5. An organization shall specify expressly that information on the scope of service outsourced by the organization as processed by the information service supplier be made available within the time limit prescribed by the organization.
      6. An organization shall specify expressly the procedures for an information service supplier to handle a change of service or information and communication security event.
      7. A type 1 organization shall specify expressly that, to the extent of IT outsourcing, information of the organization be clearly separated from data of an information service supplier and data of other organizations that are processed by an information service supplier and shall encrypt said information for protection.
      8. A type 1 organization shall specify expressly the permits and licenses concerning information security and quality that shall be obtained by an information service supplier.
  2. An organization shall ascertain the extent of completion of confidentiality undertakings by an information service supplier during the execution of the contract.
Article 8    (Information Service Supplier Access Management)
  1. For the purpose of protecting its information assets, an organization’s project officer shall advise an information service supplier of the organization’s regulations pertaining to information security and make an application in accordance with the authorization application procedure of the organization before he or she may authorize the information service supplier access to the organization’s information assets.
  2. An organization shall control and manage the right of access and use by an information service supplier’s personnel and computers and reclaim such right immediately after the outsourcing period ends.
Article 9    (Identification of Access Risk of an Information Service Supplier)
    The project officer shall conduct a risk assessment taking the following into consideration where it is necessary for an information service supplier to access the information assets and trade secrets of an organization:
  1. Laws and regulations or competent authority regulations shall be complied with. Security control shall be designed in accordance with the principleofleastprivilege and minimum disclosure necessary for the outsourcing.
  2. Control measures for the acquisition, use, safekeeping, inquiry, revision, adjustment, and destruction of an organization’s information assets and trade secrets shall be taken into account in their control and management.
  3. An information service supplier’s responsibility for protection:
    1. An organization shall require that the access control measures of an information service supplier not be inferior to the terms of the agreement with the organization and Article 7, paragraphs 1 and 2 of the Trade Secrets Act.
    2. An organizationshall require an information service supplier to warrant that use of the information asset or trade secret concerned is limited to the scope of application.
Article 10    (Security Management)
    An organization shall pay attention to the following in the course of a project:
  1. Where an information service supplier overspecializes, a register shall be compiled to facilitate management, and its information security event identification, response, and risk mitigation mechanisms shall be ascertained.
  2. A foreign investment organization shall comply with the following if it outsources information to the head office or an overseas subsidiary for offshore processing for the purposes of internal division of work (Outsourcer Institution):
    1. The organization shall fully understand and maintain access to the status of collection, processing, use, international transmission, and control of client information by the Outsourcer Institution.
    2. Client information made available by the organization to the Outsourcer Institution shall be limited to necessary information that directly pertains to the outsourced matter.
    3. The organization shall require the Outsourcer Institution to comply with the following:
      1. The organization’s client information shall be used and processed only by authorized personnel of the Outsourcer Institution within the scope of the outsourced matter.
      2. The organization’s client information shall be clearly separated from the data of the Outsourcer Institution and data of other institutions processed by the Outsourcer Institution.
      3. Client information of the organization as processed by the Outsourcer Institution shall be made available to the organization promptly.
    4. In the event of the international transmission of classified data, the organization shall develop an encrypted transmission mechanism, confirm the compliance of the Outsourcer Institution’s collection, processing, use, international transmission, and control of client information with the applicable provisions of Taiwan’s Personal Data Protection Act, obtain authorization from the subject prior to transmission, not violate any restriction of a competent authority on international transmission, and keep complete audit records.
  3. The organization shall manage and periodically examine (at least biannually) the field operation and authorization of physical access and logic access of the information service supplier, including the operational site’s configurations, network equipment and host connection, computer and telephone use, access to and from the computer room, temporary pass application, etc.
  4. The organization shall include in its security management personnel of information service suppliers stationed within the organization. Security control measures shall be in place if use of intranet resources is contemplated (e.g., in the event of adaptation or a separate network, physical separation shall be made with the intranet).
  5. An organization shall request the information service supplier for a list of stationed personnel.
Article 11    (Management of Change of Service)
    If information security is impacted by a change of a service rendered by an information service supplier, the project officer of the organization shall conduct a risk assessment, e.g., impact analysis of confidentiality, integrity, and availability, ISO 27001 risk assessment, with regard to the service changed.
Article 12    (Review of Services of an Information Service Supplier)
  1. An organization or a third party authorized thereby may audit an information service supplier periodically (at least once a year), and when the organization deems monitoring and audit necessary, during the IT outsourcing period.
  2. If an organization outsources, e.g., a software and hardware maintenance agreement, system management, etc., for a year or more, the information service supplier shall provide periodic service standard reports for review and reference in accordance with the requirements of the agreement.