• Font Size:
  • S
  • M
  • L

Chapter Content

Title:

Directions on Information and Communication Security Management and Control of New Technologies for Associations of Securities and Futures Market  CH

Amended Date: 2024.12.27 
Categories: Information Operations
Article Content Chapter Content Search Article No. Search Amended Article Legislative History Chinese 
   Chapter II – Secured Operation of Cloud Computing Services
Article 2    (Definition relating to cloud services)
  1. Cloud services: Subject to shared use of computing resources enabled by online technologies, to provide users with flexible, extendable and self-service services, such as the following types of cloud services:
    1. Infrastructure as a Service or IaaS: A cloud service provider provides information technology infrastructure to cloud service users via the Internet.
    2. Platform as a Service or PaaS: A cloud service provider provides platform tools to cloud service users.
    3. Software as a Service or SaaS: A cloud service provider provides application services to cloud service users via the Internet.
  2. Cloud service providers: Refer to enterprises providing cloud services, and enterprises providing application software services, tools or solutions to clients on a cloud platform.
  3. Risk-based approach (RBA): An organization shall identify, evaluate and understand the risks in its use of cloud services, and take appropriate control measures to effectively reduce these risks. According to this approach, the organization shall take strengthened measures in higher risk situations and may take relatively simple measures in lower risk situations to effectively allocate resources, and reduce the identified risks in its use of cloud services by appropriate and effective method.
  4. Exchangeability: Systems or data can be transferred from the originally contracted cloud service provider to another cloud service provider or transferred back to the organization.
  5. Industry-specific directions for operations outsourcing: For securities firms, it means the Directions for Operations Outsourcing by Securities Firms; for futures commission merchants, it means the Directions for Operations Outsourcing by Futures Commission Merchants; for investment trust enterprises and investment consulting enterprises, it means the Directions for Operations Outsourcing by Securities Investment Trust Enterprises and Securities Investment Consulting Enterprises.
  6. Materiality: Refer to the definition in the industry-specific directions for operations outsourcing.
Article 3    (Scope of application for directions on cloud services)
  1. The scope of application for these directions covers outsourcing of operations involving the business activities stated in the business license or customer information by an organization which involves use of cloud services, in which case the suggestions on management and control under these directions should be complied with.
  2. An organization whose use of cloud services is not covered by the scope in the preceding paragraph may refer to the control and management requirements under the directions and adopt necessary cloud services information security control and management.
  3. For operations outsourcing that involves cloud services by the Taiwanese subsidiary or branch of a foreign corporate group, if the outsourcing is handled by its foreign parent company or head office, the management and control measures established by the foreign parent company or head office may be referred to, provided that the requirements shall not be less than those under these directions. The Taiwanese subsidiary or branch of a foreign corporate group shall be required to create an appropriate internal control system and risk management mechanism for its business in Taiwan in full control of the control and management of part of its operation in Taiwan involving cloud service outsourcing.
Article 4    (Risk management of cloud services)
  1. An organization using cloud services shall establish the governing system for use of cloud services, and make plans for and acknowledge the following:
    1. To establish the cloud service management policy subject to review at last once annually.
    2. Roles, duties and responsibilities specific to the responsible entity and relevant entity in the use of cloud services. The responsible entity shall take the role of cloud finance, costs or resource management.
    3. To adopt the risk-based approach to evaluate potential risks and management risks in cloud services. It is advised evaluations shall include:
      1. Mode and scenario of use of cloud services;
      2. Business and data relating to cloud services;
      3. The organization’s requirements on feasibility and exchangeability of cloud services.
      4. The organization’s management capability and experience of cloud services.
    4. For use of cloud services and control and management of related risks, proper diversity of risks shall be maintained. When multiple clouds or other diversity strategies are used, however, increased risks in higher complexity of operation shall also be considered.
    5. If an operation project is outsourced offshore, the requirements of data protection legislation of the jurisdiction where the cloud service provider processes and stores client data shall not be less than those in the R.O.C. In case of high risks, an organization shall take appropriate risk control and management measures.
    6. An organization shall create an adequate monitoring mechanism for risks in use of cloud services, e.g. monitoring cloud resources load, security protection and service availability, to facilitate continued business operation.
  2. The board of directors shall acknowledge and supervise the risks in the organization’s use of cloud services, and ensure to have sufficient resources, expertise and authority for control and management of cloud service risks.
  3. Relevant personnel of the organization shall be ensured to have necessary professional knowledge and skills. Staff trainings shall be provided regularly during the use of cloud services, and validity of the trainings shall be verified. The trainings may cover information security, risk awareness, cloud knowledge and skills, etc. to enhance staff’s capability of introduction, use and management of cloud services. Risk-based approach shall be used as the basis of decision-making and supervision.
Article 5    (Selection and due diligence of cloud service providers)
  1. An organization shall perform due diligence and regular review procedures for cloud service providers based on the cloud service mode in use for evaluations of service quality, backup mechanism, data destruction mechanism, resources logic partition mechanism, log retention mechanism, information and communication security protection capability, management of information and communication security reporting responsibility, business continuity operation and disaster recovery capability, professional knowledge and resources of contracted business, financial health, internal control and compliance of law of a cloud service provider to see if needs can be met. In the event of a deficiency in meeting the needs, other compensatory measures should be considered.
  2. An organization shall maintain the full ownership of the data processed by the contracted cloud service provider. A cloud service provider shall make sure not to be authorized to access client information, except for performance of requested services, and not to use this information for any purpose beyond the scope of request.
  3. To ensure the system can be relocated or the data can be migrated out of cloud services at the end of the services, an organization shall evaluate and determine if the cloud service provider can satisfy the following needs for cloud interoperability and portability:
    1. A cloud service provider may provide documents describing interoperability and portability of application programs and information processing for the organization’s reference.
    2. A cloud service provider is advised to use the virtualized platform, virtual machine file format, and data and file format commonly seen in the industry to ensure interoperability.
    3. If the cloud services provided by a cloud service provider involve accessing via application interfaces, it is advisable to use an open or public application programming interface (API) to ensure better portability of application components.
Article 6    (Cloud service audit)
  1. With regard to cloud service outsourcing operation, an organization shall have the ultimate responsibility for supervision of cloud service provider by performing periodic audits on cloud service provider. It is advised to have plans, according to risk-based approach, for audit frequency, what should be audited, time and method of audit. Where necessary, a third-party professional may be appointed to assist in the supervision. The industry-specific directions for operations outsourcing shall also be complied with.
  2. An organization shall ensure it, competent authority, industry association and its appointed person may access information or reports on the operation of the cloud service provider, including audit reports on client information and relevant systems, and perform audits.
  3. For cloud outsourcing operations involving materiality, it is advised the key audits on cloud services shall include:
    1. Physical security control and management mechanism of the server room enabling cloud services.
    2. Important systems and control links relating to operation by cloud service provider.
    3. Contents of reports provided by cloud service provider during due diligence.
    4. Data deletion and disaster recovery process on the cloud platform.
    5. The cloud service provider’s business continuity control measures.
    6. Appropriateness of implementation of cloud service operation, and compliance with the relevant international information security standards and privacy protection standards.
  4. Improvements by cloud service provider based on the audit results shall be followed up on a continuous basis to ensure it takes proper and timely alternatives.
Article 7    (Cloud service supply chain management)
  1. For supply chain management of cloud service outsourcing operation, the Reference Directions for Information and Communication Systems and Service Supply Chain Risk Management shall be referred to.
  2. If a cloud service provider is appointed to operate a natural person’s business information system involving materiality, the contract or agreement shall include the terms on migration of outsourced services to another cloud service provider or transfer back to the organization, the original cloud service provider’s obligations on system migration and data processing, and the cloud service provider’s compensation liability for service interruption.
  3. If the terms of the contract or agreement do not meet the requirements in the first and second paragraphs of this article, adequate evaluations shall be performed and alternatives shall be planned based on risks to ensure performance of ultimate obligations to supervise the cloud service provider.
Article 8    (Control and management of information security of cloud services)
    When using cloud services, an organization shall, in accordance with risk-based approach, implement appropriate control and management measures, such as availability of only necessary port, protocols and services, virus protection, security breach evaluation system, and monitoring of file integrity.
  1. Encryption and key management
    1. For transmission and storage of client data to cloud service provider, there should be effective protection measures in place such as encryption or codification of client data, and an adequate encryption key management mechanism shall be created.
  2. Identification and access control
    1. The authority of the cloud service access should be managed based on the minimization principle, with appropriate security control and management measures, such as communication management through multi-factor authentication, audit trails, IP filtering, firewall, and Transport Layer Security (TLS) packet.
    2. In case of direct access to cloud services via the Internet, access control measures such as identification of identity, equipment and source IP shall be strengthened.
    3. Privilege accounts, e.g. accounts with authority to change configuration setup of cloud services, shall be subject to multi-factor authentication.
  3. Audi trails and monitoring
    1. Information about audit trails and monitoring of cloud service platform operation shall be retained.
    2. There shall be threat and vulnerability detecting and management procedure that continues to watch for threats and vulnerabilities relating to cloud services, and regularly evaluates impact of these threats and vulnerabilities on use of cloud services and effectiveness of network security defense measures.
    3. It is advisable to create rules that link monitoring and analysis of scenarios for cloud security events to enable early detection of potential information security risks.
    4. It is advisable to implement central management of audit trails and monitoring information.
    5. Cloud platform audit trails shall not include unencrypted operation or important client data.
    6. Where an organization’s cloud services also incorporate interface with on-premise information environment, it is advisable to consider boundary protection between cloud and on-premise services and create methods such as logs and monitoring and control analysis.
  4. Security of infrastructure
    1. To ensure use of images from reliable sources for management integrity of images and to retain records of changes to images.
    2. To ensure use of proper measures for management of virtual machines and containers in use.
    3. To ensure a cloud service provider shall provide the information about isolation of virtual machines depending on the needs, and should immediately notify the organization when the isolation fails.
    4. To implement advanced threat defense strategies such as protection against data breach and cross-service attacks and continued protection against threats for protection of access to the cloud environment.
  5. Configuration security
    6. To implement the cloud service configuration management mechanism to properly control the records of changes to cloud service configuration.
  6. Data security
    1. Where registration, processing, exporting or storage of organization data (including client data) are involved, an organization shall ensure the cloud service provider has relevant mechanism in place to ensure security and integrity of data migration upon maintenance and replacement of equipment (e.g. disk replacement), and all organization data on the obsolete equipment shall be deleted or destroyed, and the records of these deletions or destructions shall be retained.
    2. For cloud services involving cross-border transmission of personal data, an organization shall have the encryption transmission system in place, and make sure to comply with the Personal Data Protection Act of the Republic of China for a cloud service provider’s collection, processing, use, international transmission and control and management of personal data. The data subject’s authorization should be obtained prior to transmission and no transmission may violate the competent authority’s restrictions on international transmission. The full audit records should be kept.
    3. Client data processed by contracted cloud service provider and the place of storage shall be subject to the following requirements:
      1. An organization shall have the authority to designate the place where data is processed and stored.
      2. The requirements of local data protection law in an offshore location shall not be less than those in the R.O.C.
      3. As a principle, the client data of a natural person’s business information system involving materiality shall be stored within the territory of the R.O.C. Where the data is stored outside of the R.O.C., unless otherwise approved by the competent authority, important client data shall have copies retained in the R.O.C.
    4. It is advisable to control and manage access to cloud services based on the purpose of use of cloud services.
  7. For outsourced cloud operation involving materiality, an organization shall be advised to take the following information security control and management measures:
    1. Adopt the standardized Internet protocol. For transmission of sensitive information, it is advisable to adopt the encryption Internet protocol such as Hypertext Transfer Protocol Secure (HTTPS) and Secret File Transfer Protocol (SFTP).
    2. Regularly evaluate the infrastructure security management mechanism for cloud services to ensure use of cloud services complies with the organization’s information security policies and other related requirements.
    3. Use the encryption keys managed by the organization for enhanced control over keys.
    4. Encryption tools and keys are stored in a separate and secure online environment and access is subject to restriction.
    5. Avoid use of operation data in the tests and validation of cloud services.
    6. Monitor and regularly review use of data saved on cloud to prevent breach of customer’s privacy and operation secrets.
Article 9    (Management of continuity and exit of cloud services)
  1. An organization shall prepare an operation continuity management plan by conducting operation impact analysis on the information system enabling cloud services, evaluating resilience and ability of recovery of cloud services, and considering the venue where the assets, resources and data involving cloud services are located, and recovery ability of the cloud service provider.
  2. With regard to outsourced cloud operation involving materiality, when planning the test or exercise program for business continuity of cloud services, an organization shall, according to risk-based approach, determine the frequency and method of tests or exercise. It is advisable to consider preparation and establishment of operation continuity test or exercise program for cloud services in collaboration with cloud service provider, and where circumstances allow, ask the cloud service provider to participate in joint tests or exercise.
  3. An organization shall create the cloud data backup mechanism, and keep a list of backup copies. The media where backup data is stored or backup files shall be properly protected to ensure availability of information and prevention of unauthorized access.
  4. An organization shall establish the information security event reporting and management mechanism for use of cloud services.
  5. An organization shall, prior to adoption of cloud services, formulate the transfer strategies and plans for termination of use of cloud service, to ensure the services can be successfully transferred to another cloud service provider or migrated back to the organization for self-operation upon termination or end of a contract of operation.
  6. An organization shall ensure, upon termination of the outsourcing contract or termination of use of cloud services, deletion or destruction of all archived data kept by the cloud service provider (such as images of a virtual machine, storage space, cache space, backup media, client information or sensitive information) and shall ask the cloud service provider to provide the proof of a full deletion of data.