• Font Size:
  • S
  • M
  • L

Amendments

Title:

Establishing Information Security Inspection Mechanisms for Securities Firms  CH

Amended Date: 2024.05.15 (Articles 1, 4, 7, 10, 12 amended,English version coming soon)
Current English version amended on 2023.08.23 
Categories: Market Supervision > Regulation of Securities Firms

Title: Establishing Information Security Inspection Mechanisms for Securities Firms(2017.03.24)
Date:
7     Management of Communications and Operations (CC-17000)
  1. Management of network security (CC-17010, applicable to securities firmsplacing orders via the Internet; items a, b and e are applicable to securities firms that connect to public networks via auction terminals, monthly audit):
    1. Evaluating the security of network systems:
      1. The company shall regularly evaluate the security of its own network systems (e.g., its operating system, network servers, browsers, firewall, and anti-virus software) and retain related records.
      2. Security gaps in the network operating environment (includingservers, portables, personal terminals, and computers available on business premises to investors for shared use) shall be repaired regularly or timely. The related documentation shall be retained.
      3. Matters bearing on computer network security (including the promotion of awareness of the information security policy, prevention of hacking, and anti-virus measures) shall be internally announced at any time and from time to time.
      4. A specially appointed employee shall be designated to be responsible for computer servers and important software and hardware.
    2. Managing firewall security:
      1. A firewall shall be established.
      2. A specially appointed employee shall be responsible for managing the firewall.
      3. Records of firewall entries, exits, and backup copies shall be retained for at least two years.
      4. Important website and server systems (e.g. online order placing systems) shall be isolated from the Internet by the firewall.
      5. The firewall system configuration shall be approved by the proper supervisor.
    3. Managing network transmission security:
    4. Online order placing pages shall be protected by encryption (e.g. SSL).
    5. Managing CA authentication and certificates:
      1. A securities firmplacing orders online shall adopt certificate delivery procedures to prevent certificates from being obtained by persons other than their intended owners.
      2. A securities firmplacing orders online shall use an authentication system for all orders.
    6. Protecting against computer viruses and malicious software:
      1. Anti-virus software shall be installed. Its programs and virus definitions shall be given timely updates.
      2. Computer systems and data storage media (including emails) shall be regularly scanned for viruses.
      3. Anti-virus protection shall cover personal terminals (including portables and computers available on business premises to investors for shared use) and network servers.
      4. Emails from unknown sources shall not be opened. Special care shall be used in opening emails with attachments containing executable files.
      5. To prevent computer viruses from spreading and affecting computer security, the company shall adopt security rules governing email use.
    7. Inspecting the functions of online ordering systems:
    8. The functions provided by online ordering systems shall be inspected regularly and inspection records shall be kept.
    9. Regulations governingthe company's provision of API services:
    10. The application procedure, approval standards and relevant control measures and operations in regard to the company's provision of API services to customers are governed by the Directions for the Provision of Application Programming Interface (API) Service by Securities Firms to Customers
    11. Quality standards for services for placing orders via the Internet:
    12. When providing services for placing orders via the Internet, the company needs to maintain the quality of customer services by establishing quality standards for placing orders via the Internet, which shall cover the key elements such as transaction security, stability and user friendliness, and customer services.
  2. Computer system and operation safety management (CC-17020, semi-annualaudit)
    1. Managing computer equipment:
    2. The company shall enter into a written maintenance agreement with the maintenance service provider to establish the content ofcomputer equipment maintenance work. A maintenance log shall be retained afterthe completion ofmaintenance. The information unit shall appoint personnel to conductinspection together with the maintenance personnel from the maintenance service provider.
    3. Environment configuration and use authorization settings of the operating systems of computers:
      1. The environment configuration and use authorization settings of the operating systems of computers shall be approved by the relevant supervisor and implemented by system administrators.
      2. Appropriate backup measures shall be in place with respect to files in the computer system before and after they are modified.
    4. Security management ofcomputer media:
      1. Backup copies of important software, related documents, and inventory lists shall be made and stored in a separate safe location.
      2. If important backup files and software are stored in the same building that houses the computer center, they shall be kept locked in a fireproof room or in a cabinet that is both fireproof and earthquake-proof.
      3. Storage media used for backup materials shall be labeled with the name of the materials and their retention period.
      4. Handling procedures shall be established for media used to store confidential and sensitive information so as to prevent leaking or improper use of the information.
    5. Management of computer operation:
      1. Computer operators shall strictly adhere to prescribed operating procedures.
      2. Complete and accurate records shall be provided in an operating log, which shall be inspected and approved daily by a supervisor. The operator and the supervisor may not be the same person.
      3. Specially appointed personnel shall be responsible for inspecting information in the logs of the system console and for regularly submitting the information to a supervisor for inspection and approval.
    6. The securities broker shall have a computer system that has adequate capacity and is capable of meeting the needs of its business.
    7. The securities broker shall adopt mechanisms and procedures for regular evaluations (at least once a year) of the capacity of and security measures for its computer system, to be carried out either internally or outsourced to a professional institution. The system capacity shall be stress-tested regularly and records of the testing retained.
10     Business Continuity Management (CC-20000,semi-annual audit)
  1. Failure recovery procedures (e.g. backup and recovery plans for computer equipment, communications equipment, power systems, databases, and computer operating systems etc.) shall be clearly formulated and reduced to writing.
  2. Failure recovery procedures shall be tested periodically; after testing, a review meeting shall be convened to consider ways to improve in response to deficiencies and a record thereof shall be retained.
  3. Securities brokers shall have backup measures in place for their trading servers.
  4. The company is advised to formulate a business continuity plan (covering such matters as activation conditions, participating personnel, emergency response procedures, backup procedures, maintenance schedules, education and training, descriptions of job duties, response plans of outside entities with which the company does business, and contract suitability), maintain measures necessary for the plan, and to prescribe the key operations and related impact analyses.
  5. The company shall adopt an information security reporting mechanism (e.g. formal reporting procedures and appointed contacts for information security incident reports). The company is advised to take appropriate corrective procedures for information security incidents relating to its information system and to retain related records.
  6. Any theft, alteration, damage, loss or divulgence of, or other information security incident involving, personal information shall be immediately reported by the companyto the TWSE (TPEx or Taiwan Securities Association)in writing, to be advised to the competent authority.
  7. The company shall establish clear operational procedures to defend and respond to distributed denial-of-service attack (DDoS).