• Font Size:
  • S
  • M
  • L

Chapter Content

Title:

Reference Guidelines on the Protection of the Information and Communication Systems of Service Enterprises in Securities and Futures Markets  CH

Announced Date: 2024.01.09 (Articles 15 amended,English version coming soon)
Current English version amended on 2022.04.26 
Categories: Information Operations
Article Content Chapter Content Search Article No. Search Legislative History Chinese 
   Chapter 2 Access Control
Article 4    (Account management)
  1. An organization shall establish the information and communication system account management mechanism, covering procedures for the application, creation, change, activation, deactivation, and deletion of an account.
  2. The information and communication system account approved by an organization for temporary or emergency use shall be deleted or banned after the operation ends.
  3. An organization shall ban an idle information and communication system account.
  4. An organization shall review the appropriateness of information and communication system accounts and authorizations.
  5. A type 1 organization shall define the idle time or available time of a core system and the status and conditions of use of said system, such as account type and restrictions on its functions, restrictions on operating hours, restrictions on the source IP address, number of connections, and accessible resources, etc.
  6. If a core system of a type 1 organization operates beyond the permitted idle time or available time prescribed, it is advisable for the system to log the user account out automatically.
  7. A type 1 organization shall use a core system in accordance with the circumstances and conditions prescribed by the organization.
  8. An organization offering online ordering services shall monitor and analyse on a daily basis records of log-in attempts, etc. with regard to a core system account and a non-client account, and shall report any irregular use discovered to the manger and follow up.
  9. No organization may use a client’s explicit data such as uniform business number, identity card number, mobile phone number, email address, credit card number, savings account number, etc. as sole identification, or it shall separately create a user code for identification purposes.
Article 5    (Least Privilege)
  1. The information and communication system account shall be least privileged in principle, only authorizing access to users (or processes acting on behalf of users) for completing an operation as necessary according to the authority and responsibility and business function of each department of the organization.
  2. An organization shall define the roles and duties of its personnel and segregate conflicting roles.
Article 6    (Remote Access)
  1. An organization shall prescribe remote connection regulations setting forth restrictions on use, configuration requirements, connection requirements, and documentation. Prior authorization shall be obtained, and records kept, for any type of remote access permitted.
  2. An organization shall complete at server side the verification of an authorized log-in of the information and communication system account.
  3. An organization shall monitor the connection of an external network that remote-connects and accesses the organization’s internal network segment.
  4. The information and communication system shall use an encrypted connection mechanism.
  5. The source of remote access to the information and communication system shall be an access control point approved by the organization.