• Font Size:
  • S
  • M
  • L

Chapter Content

Title:

Reference Guidelines on the Protection of the Information and Communication Systems of Service Enterprises in Securities and Futures Markets  CH

Announced Date: 2024.01.09 (Articles 15 amended,English version coming soon)
Current English version amended on 2022.04.26 
Categories: Information Operations
Article Content Chapter Content Search Article No. Search Legislative History Chinese 
   Chapter 5 Identification and Authentication
Article 14    (Identification and Authentication of Internal Users)
  1. The information and communication system shall be equipped with a unique function to identify and authenticate internal users of an organization (or processes acting on behalf of organization users), banning the use of joint accounts.
  2. Multi-factor authentication shall be applied when the administrator account is used to log in a core system through the Internet. Multi-factor authentication is advised for access by internal users to a core system of a type 1 organization.
Article 15    (Management of Identify Verification)
  1. After logging in the information and communication system with a default password, a user shall immediately request to change the password to continue.
  2. Information pertaining to the identity verification of the information and communication system is not transmitted in cleartext.
  3. The information and communication system is equipped with an account lockout mechanism. No further login to the same account or application of the validation failure mechanism developed by an organization at least within 15 minutes is allowed after three failed identity verification attempts in respect of an account login. In the event of an electronic transaction, a login failure incident shall be recorded, the login account shall be locked out, and the connection shall be disconnected, after three failed attempts to enter the password. When an unlock application is processed, the precise identity shall be verified, and a relevant record kept, before the system can be unlocked.
  4. When a password is used for verification, the lowest password complexity shall be prescribed; restrictions on the maximum and minimum number of days a password may be used shall be imposed.
  5. When a password is changed, the new password at least may not be the same as the previous three passwords used.
  6. With regard to the measures listed in the preceding two paragraphs, regulations set forth by an organization may apply to non-internal users.
  7. The identity verification mechanism of a core system shall prevent logins of automated programs or attempted password changes. It is advisable for a non-core system to prevent logins of automated programs or attempted password changes.
  8. The password reset mechanism of a core system shall, upon re-confirming the identity of a user, send a one-time time-sensitive token (such as network connection or one-time password (OTP) to the registered email box or mobile phone of the user) or adopt other identity verification method. It is advisable for a non-core system to have an identity verification method in place after the password is reset.
Article 16    (Authenticator Feedback and Cryptographic Module Authentication)
  1. An organization shall redact information in the course of authentication of the information and communication system.
  2. Passwords used by an organization for authentication of the information and communication system shall be encrypted or hashed before being saved.
Article 17    (Identification or Authentication of Non-Internal Users)
    The information and communication system shall identify and authenticate non-organization users (or processes acting on their behalf).