||Establishing Information Security Inspection Mechanisms for Securities Firms(2013.05.09)
Information Security Policy: (CC-12000, annual audit)
- The company shall adopt an information security policy and set information operations security standards in accordance with its business needs and applicable laws and regulations.
- The following content shall be included in the information security policy:
- A definition of information security, information security objectives, and scope of information security.
- An explanation and description of the information security policy, information security principles and standards, and rules the employees must comply with.
- A description of the organizational unit in charge of the information security work, the unit's authority and duties, and segregation of said duties.
- Emergency procedures for reporting and handling an information security incident, along with related regulations.
- The information security policy adopted by the company shall be approved by its management, formally issued, observed by all of its employees, and notified to and observed by public and private authorities / institutions and providers of information services with network connection with the company.
- The company's information security policy shall be evaluated at least once per year to reflect the latest developments in laws, regulations, bylaws, technology, and business etc., and to ensure the efficacy of the company's information security operations. Records of the above evaluations shall also be retained.
- Information security policy evaluations shall be conducted in an independent and objective manner either internally or through an outsourced professional institution.
Management of Communications and Operations (CC-17000)
- Management of network security (CC-17010, applicable to securities firms placing orders via the Internet; items a, b and e are applicable to securities firms that connect to public networks via auction terminals, monthly audit):
- Evaluating the security of network systems:
- The company shall regularly evaluate the security of its own network systems (e.g., its operating system, network servers, browsers, firewall, and anti-virus software) and retain related records.
- Security gaps in the network operating environment (including servers, portables, personal terminals, and computers available on business premises to investors for shared use) shall be repaired regularly or timely. The related documentation shall be retained.
- Matters bearing on computer network security (including the promotion of awareness of the information security policy, prevention of hacking, and anti-virus measures) shall be internally announced at any time and from time to time.
- A specially appointed employee shall be designated to be responsible for computer servers and important software and hardware.
- Managing firewall security:
- A firewall shall be established.
- A specially appointed employee shall be responsible for managing the firewall.
- Records of firewall entries, exits, and backup copies shall be retained for at least two years.
- Important website and server systems (e.g. online order placing systems) shall be isolated from the Internet by the firewall.
- The firewall system configuration shall be approved by the proper supervisor.
- Managing network transmission security:
Online order placing pages shall be protected by encryption (e.g. SSL).
- Managing CA authentication and certificates:
- A securities firm placing orders online shall adopt certificate delivery procedures to prevent certificates from being obtained by persons other than their intended owners.
- A securities firm placing orders online shall use an authentication system for all orders.
- Protecting against computer viruses and malicious software:
- Anti-virus software shall be installed. Its programs and virus definitions shall be given timely updates.
- Computer systems and data storage media (including emails) shall be regularly scanned for viruses.
- Anti-virus protection shall cover personal terminals (including portables and computers available on business premises to investors for shared use) and network servers.
- Emails from unknown sources shall not be opened. Special care shall be used in opening emails with attachments containing executable files.
- To prevent computer viruses from spreading and affecting computer security, the company shall adopt security rules governing email use.
- Inspecting the functions of online ordering systems:
The functions provided by online ordering systems shall be inspected regularly and inspection records shall be kept.
- Computer system and operation safety management (CC-17020, semi-annual audit)
- Managing computer equipment:
The company shall enter into a written maintenance agreement with the maintenance service provider to establish the content of computer equipment maintenance work. A maintenance log shall be retained after the completion of maintenance. The information unit shall appoint personnel to conduct inspection together with the maintenance personnel from the maintenance service provider.
- Environment configuration and use authorization settings of the operating systems of computers:
- The environment configuration and use authorization settings of the operating systems of computers shall be approved by the relevant supervisor and implemented by system administrators.
- Appropriate backup measures shall be in place with respect to files in the computer system before and after they are modified.
- Security management of computer media:
- Backup copies of important software, related documents, and inventory lists shall be made and stored in a separate safe location.
- If important backup files and software are stored in the same building that houses the computer center, they shall be kept locked in a fireproof room or in a cabinet that is both fireproof and earthquake-proof.
- Storage media used for backup materials shall be labeled with the name of the materials and their retention period.
- Handling procedures shall be established for media used to store confidential and sensitive information so as to prevent leaking or improper use of the information.
- Management of computer operation:
- Computer operators shall strictly adhere to prescribed operating procedures.
- Complete and accurate records shall be provided in an operating log, which shall be inspected and approved daily by a supervisor. The operator and the supervisor may not be the same person.
- Specially appointed personnel shall be responsible for inspecting information in the logs of the system console and for regularly submitting the information to a supervisor for inspection and approval.
- The securities broker shall have a computer system that has adequate capacity and is capable of meeting the needs of its business.
- The securities broker shall adopt mechanisms and procedures for regular evaluations (at least once a year) of the capacity of and security measures for its computer system, to be carried out either internally or outsourced to a professional institution. The system capacity shall be stress-tested regularly and records of the testing retained.
Access Control (CC-18000, monthly audit)
- The company shall adopt rules governing controlled access of the information system and request the employees to abide by the rules in writing, electronically, or via other means.
- Authorization management:
- There shall be a detailed written description of the controls on the access to and use of programs.
- In the event of a personnel change, their use authorization shall be promptly updated.
- Access to and use of programs and files shall be granted on the basis of authorization.
- Authorization for computer access and use by outsourcers shall be subject to appropriate control, and the authorization shall be promptly reclaimed at the end of the outsourcing period.
- Outsourcers deployed to the company's premises shall be subject to the company's security management, and security control measures shall be applied if they wish to use internal network resources (e.g., where such personnel use a proxy server or establish a separate network, it is advisable that such sever or network be physically isolated from the internal network).
- Regular examination (at least semi-annually) and reconsideration shall be conducted with regard to the authorization of users who have not used the system for a long time (excluding users who are customers).
- Password Management:
- Users making use of the system for the first time may not operate the system until they have changed their initial password.
- Passwords shall be saved in a randomized format.
- A user who forgets his password shall go through a rigorous identity check before being allowed to use the system again.
- Initial passwords shall be generated randomly and have no connection with the user's identity.
- The login session shall be terminated when a password is inputted incorrectly three times.
- Except where the input interface only allows for numerical inputs (e.g. voice-mail ordering systems), the company shall use strong passwords (at least six characters in length with alphanumeric characters or other symbols) and further encourage customers to change their user passwords at least once every three months. Except for customers, other users in the company must change their passwords at least once every three months.
- The company's current website, servers, Network Neighborhood, routers, switches, operating systems, databases, and other software and hardware equipment shall be password-protected. Default settings (e.g. "administrator," "root," "sa") or simple strings (e.g. "1234") shall be avoided as passwords. The company shall not fail to set administrator access privileges.
- Management of computer audit logs:
- Audit logs for important systems (like server login systems and online order systems) shall include user ID numbers, login dates and times, computer identification information, and IP addresses etc.
- Specially appointed personnel shall be assigned to regularly inspect the computer audit logs of important systems above.
- Data Input Management:
- The inputting or alteration of high-security or important data may be undertaken only with approval from the supervisor with proper authority.
- A log shall be kept of the data that is input or altered along with the names and job titles of the people who perform the inputting or alteration.
- Important data (e.g. password files) that are highly confidential shall be saved in a randomized format.
- If the company is a public company, it shall incorporate the Guidelines for Online Filing of Public Information by Public Companies into its internal control system and carry out information reporting in accordance with those directions.
- Where an electronic certificate, IC card, other form of certificate chip card, or other certificate carrier is used to represent the company in transmitting signatures (e.g. the Market Observation Post System, the Securities Firm Filings Window, or Official-Document Exchange Center), specially appointed personnel shall be responsible for maintaining custody of the certificate carriers and establishing a log book. Procedures governing the use and custody of account numbers and passwords shall be adopted and implemented.
- When a certificate carrier is used to represent the company in transmitting signatures, if the server side is a security firm application system (e.g. Electronic Reconciliation Statement System), a computer audit log shall be kept for the same period as the data in each operation.
- The personal information of customers and the company's internal personnel shall be properly handled in accordance with the Personal Information Protection Act.
- The company shall at regular or irregular intervals audit the management of information defined as personal information by the Personal Information Protection Act.
- Any updates, edits, or strike-outs of the aforementioned personal information shall be reported for recordation, and a complete and accurate log shall be maintained showing the content of the updates, edits, strike-outs, the names of the persons making them and the times at which they were made.
- As the company needs to collect, process, and transmit internationally personal data for business purposes, the company shall adopt "The Partition of Rights and Liabilities with Regard to Maintenance of Secrecy and Damages with Software/Hardware Manufacturers."
- Management of Data Output:
- Whether statements are generated and delivered to the user units in a timely manner.
- Whether appropriate control procedures are in place for the printing out or browsing of confidential or sensitive statements.
- There shall be an encrypted transmission mechanism (e.g. SSL) for investors searching personal information on the company website.
Compliance (CC-21000, semi-annual audit)
- A company shall regularly (at least annually) carry out an information security audit (either internally or outsourced to a professional institution) and keep an audit log.
- Whether the company monitors improvement made in response to the aforementioned information security audits (including audit summaries, scope of audits, description of deficiencies, and recommendations for improvement).