• Font Size:
  • S
  • M
  • L

Chapter Content

Title:

Reference Guidelines on the Cybersecurity Protection of Service Enterprises in Securities and Futures Markets  CH

Announced Date: 2024.04.19 (Articles 2, 3, 5, 7, 8, 12, 16 amended,English version coming soon)
Current English version amended on 2022.04.26 
Categories: Information Operations
Article Content Chapter Content Search Article No. Search Legislative History Chinese 
   Chapter 4 Security of Network Connection
Article 13    (Security Certification of Network Connection)
  1. An organization shall ensure the validity and legitimacy of SSL/TLS certificates to maintain the security of network connection.
  2. Where an organization offers online ordering service, it shall set forth a certification delivery procedure to prevent third parties from obtaining certification and also deliver certification through a factor authentication (e.g. OTP, SIM, verification) different from the two-factor authentication, and shall completely employ the verification mechanism.
Article 14    (Network Transmission and Connection Security Management)
  1. An organization shall use relatively secure encrypted connections in offering internal/external services without affecting operation.
  2. An organization using a dedicated network line to connect to the network of a third party with which it collaborates shall install a firewall and close non-agreed ports to ensure intranet security of the organization.
  3. A securities firm or futures commission merchant offering online ordering service shall encrypt the screen.
  4. In the event of the international transmission of classified data, an organization shall develop an encrypted transmission mechanism, and, if client information is involved, obtain the authorization from the subject prior to transmission, not violate any restriction of a competent authority on international transmission, and keep complete audit records.
Article 15    (Remote Connection)
  1. An organization shall set forth remote connection regulations, restrictions on use, configurations, and requirements for connection, create documentation, develop a secure remote connection mechanism, including multi-factor authentication (employee account passwords, dynamic passwords, one-time passwords), encrypt connection, adopt the least privilege principle, retain complete audit trails of user operations, monitor and alert anomalies, update security vulnerabilities, and take other security measures, and also retain relevant records for re-examination by a competent supervisor.
  2. An organization must limit login allowing connection only by personnel within the organization, keep complete records of the trails of operation of equipment, and prescribe the time of availability of connection according to the operating hours in regard to duties.
  3. An organization must prevent malicious or unauthorized connection through a secure connection mechanism, set forth rules in accordance with the least privilege principle, close unnecessary ports, and monitor network traffic and the anomaly alert and disconnection mechanism.
  4. An organization must adopt differential management for users with regard to access privileges in accordance with the least privilege principle, allowing only access necessary for the conduct of business and disabling access to unnecessary system functions.