Information Security Policy: (CC-12000, annual audit)
- The company shall adopt an information security policy and set information operations security standards in accordance with its business needs and applicable laws and regulations.
- The following content shall be included in the information security policy:
- A definition of information security, information security objectives, and scope of information security.
- An explanation and description of the information security policy, information security principles and standards, and rules the employees must comply with.
- A description of the organizational unit in charge of the information security work, the unit's authority and duties, and segregation of said duties.
- Emergency procedures for reporting and handling an information security incident,along with related regulations.
- The information security policy adopted by the company shall be approved by its management, formally issued, observed by all of its employees, and notified to and observed by public and private authorities / institutions andproviders of information services with network connection with the company.
- The company's information security policy shall be evaluated at least once per year to reflect the latest developments in laws, regulations, bylaws, technology, and business etc., and to ensure the efficacy of the company's information security operations. Records of the above evaluations shall also beretained.
- Information security policy evaluations shall be conducted in an independent and objective mannereither internally or throughan outsourced professional institution.
- The company shall have its highest officer responsible for information security, and its board chairperson, general manager and chief audit officer to jointly issue a statement on overall implementation of the information security measures during the previous year, which will be submitted to the board of directors for approval. The statement shall be disclosed at the Market Observation Post System (MOPS) within three months after the closing of a fiscal year.
Security Organization (CC-13000, annual audit)
- The company shall follow the requirements to have appropriate human resources and equipment available for planning and monitoring of the information security system and implementing the information security management operation. The job responsibilities of the relevant staff and their other concurrent responsibilities shall be in compliance with regulations.
- The company shall designate a vice president or high level supervisor to be responsible for coordinating and implementing information security management and, where necessary, may also establish an interdepartmental " Information Security Task Force" to handle overall coordination and discussion of theinformation security policy, planning, and resource allocation etc.
- As necessary for the purposes of information security management, the company shall specifically assign personnel or unit(s) to be responsible for planning and implementing information security work, and the assigned staff shall attend regular information security professional programs and trainings of at least 15 hours and pass the assessment in year. Other staff with access to information system shall attend information security awareness promotion programs of at least three hours in a year.
- If the company lacks sufficientinformation security manpower, skills, or experience, it may retain external scholars, experts, or professional private institutions and groups to provide information security consulting services.
- The authority and duties of the company's information processing department shall be clearly differentiated from those of its business units.
Application of new technologies (CC-21100, annual audit)
- Cloud services:
- If the company is using cloud services, it shall establish the cloud computing service operation security regulations, covering the method to select a cloud service provider, audit measures, backup system, service standards, including information security protection, and requirements on recovery time. When any requirement is not met, there should be additional compensatory measures.
- If the company is a cloud service provider, if shall establish the cloud computing service security control and management measures, covering compliance of law, authority control and management, allocation of rights and responsibilities, and information security protection. In the event of transmission of sensitive information, encryption Internet communication protocols such as HyperText Transfer Protocol Secure (HTTPS) and Secret File Transfer Protocol (SFTP) shall be used.
- Social media:
- The company shall establish the information security regulations for social media and the regulations for use of social media, covering:
- Define what business-related information may be shared on the social media for business purpose.
- Distinction between social media for personal or business purposes and important information about their use.
- Levels if risks in allowing employees to use social media shall be assessed, including information disclosure, social engineering, malware attacks, etc. and appropriate security control measures shall be taken.
- The company shall establish the information security regulations and management policies for operation of its official pages on the social media, which shall cover the following:
- If the official website contains a link that takes users away from the website to the social media, when a user clicks the link, there should be a pop-up window notifying the user he or she is leaving the company's website.
- The name and contact method of the securities firm should be specified on the social media page to distinguish it from the official page on the social media.
- An account authorization management system shall be established to control and monitor posts and inappropriate comments and irregularities shall be reported or handled.
- Mobile devices:
- The company shall establish the information securities regulations and management policies for mobile devices for business use, which shall cover the following:
- The management policies for mobile devices shall include applicable regulations for request, use, replacement and return of a mobile device.
- When the user is changed, the mobile device should be reconfigured or the original configurations should be cleared to ensure the security of the environment of the mobile device.
- It is advisable only official applications or such other applications approved in the tests and listed as downloadable by the company be installed on the device.
- The company shall establish the information security regulations and management policies for mobile devices owned by employee, which shall cover the following:
- The company shall ask employees to use their own mobile devices only for certain purposes.
- The company shall sign the agreement of employee's use of their own mobile device with the employee using their own device, with terms and conditions on limit on use and liabilities of the parties, etc.
- The company shall prohibit unauthorized connection of its internal information equipment to the Internet from mobile device owned by employee.
- The company shall establish the regulations and management policies for availability of mobile applications, which shall cover the following:
- Prior to availability of an application, it shall be ensured its codes or library of code have passed the security or verification procedures, e.g. testing or scanning of source codes to make sure it does not contain any malware or sensitive information.
- It is advisable the mobile application have a well-defined selection mechanism for special symbols.
- When the source colds of a mobile application are not available, the provider of the mobile application shall be asked to meet the above security requirements.
- The company shall establish the control regulations and management policies for securities of mobile applications, which shall cover the following:
- A mobile application access verification mechanism shall be designed for sensitive information such as transaction or account information, and only authorized mobile applications may be allowed to access the sensitive information.
- When a mobile application is used for sending text messages or other notices to inform a user of sensitive information, all information that may identify a user shall be removed.
- When account number, PIN and other sensitive information are being transmitted via mobile application, a certificate verification or encryption system shall be in place to ensure secured transmission.
- When PIN, certificate, transaction, billing or other sensitive information are stored via mobile application, the stored information shall be protected through secure hashing or encryption.
- When transactions or cash flow operations are taking place via mobile application, it is advisable the access logs be kept, which shall also be protected from unauthorized access.
- The Internet of things:
The information security regulations and management policies for the Internet of things (IoT) shall be established, which shall cover the following:
- The management list of IoT equipment shall be created and updated at least once a year, and the initial password to the above equipment shall be changed.
- IoT equipment shall have the security update mechanism and shall be updated regularly (once a year). If a defect to the equipment is known and no update to correct the defect is possible, a compensatory control system shall be established.
- Network connection and services not needed for IoT equipment should be turned off. Use of public Internet connection is advised against.
- When signing a procurement contract with a supplier of IoT equipment, it is advisable the contract include terms on information security, a clear definition of related liabilities, e.g. service warrant, lifespan of security updates, voluntary notification of known loopholes in the information security equipment, and submission of appropriate response measures, to ensure no known security loopholes in the equipment.