Systems Development and Maintenance (CC-19000, semi-annual audit)
- The information security requirements shall be included in the analysis and specifications when an application system is being planned and analyzed.
- Whether input s are verified to confirm their accuracy.
- Legal copyrighted software shall be used.
- Contracts shall be entered into for outsourced work. The terms of contracts entered into for outsourced work shall include an information security agreement and the right to audit the outsourcer's information security.
- When a completed program requires maintenance, it must be carried out in accordance with formally approved procedures.
- All documents and handbooks shall be properly maintained and controlled.
- Specially appointed personnel shall be responsible for maintaining application systems.
- Management of changes to application systems:
- Files that contain programs, data, and job control commands for formal and test operations shall be stored separately.
- When a program is modified, its documentation shall be promptly updated.
- The company shall regularly (at least semi-annually) scan its information system for vulnerabilities. When potential vulnerabilities are identified, it is advised to evaluate the associated risks or install software patches and retain a record (applicable to securities firms placing orders online, but not applicable to those doing so via telephone or in the traditional manner).
- Source code security regulations (applicable to securities firms placing orders on the Internet, not those placing voicemail or traditional orders):
- Malware and other security holes shall be avoided in a program.
- A program shall use a comprehensive validation mechanism that is both appropriate and valid to ensure completeness.
- A corresponding updated version of a program shall be made available in the event of an update to the library cited.
- A program shall conduct security checks and provide a protection mechanism against injection attacks in respect of character strings entered by users.
- The provider of a program shall be requested to comply with the security measures in the preceding four paragraphs ((a), (b), (c), (d)) if no source code of the program is available.
- Mobile application security control (applicable to securities firms placing orders on the Internet, not those placing voicemail or traditional orders):
- Launch of a mobile application:
- A mobile application shall be launched in a mobile application store or on a mobile application website with a reliable source. The sensitive information to be accessed, mobile device resources, and proclaimed rights and purposes shall be specified upon said launch.
- The name, version and download location of a mobile application shall be provided on the official website.
- A fake mobile application detection mechanism shall be in place to protect customers’ rights and interests.
- Conformance of authority required for a mobile application to services offered shall be ascertained before launch. The initial launch or a change of authority is subject to consent of the data security and legal compliance units and shall be documented, to facilitate general assessment as to whether the duty to notify under the Personal Data Protection Act is satisfied.
- Protection of sensitive information:
- When a mobile application transmits and stores sensitive data, a certification, hash or encryption mechanism shall be in place to ensure safe transmission and storage, and the data in shall be appropriately de-identified when in use. Relevant access logs shall be protected to prevent unauthorized access.
- A risk alert shall be issued to users if a detection mobile device is allegedly unlocked (such as by rooting, jailbreaking, USB debugging etc.) upon activation of a mobile application.
- Mobile application testing:
- In respect of mobile applications used by investors, data security testing shall be conducted by a third-person testing laboratory accredited by the Taiwan Accreditation Foundation, and shall be passed, before initial launch and each year. Such testing shall cover items listed in the guidelines for vetting the security of mobile applications published by the Mobile Application Security Alliance, the testing unit commissioned by the Industrial Development Bureau, Ministry of Economic Affairs. If it is necessary to update the launch within a year after laboratory testing is passed, material updates are subject to outsourced or self testing prior to each launch. Material updates refer to functional changes to “trading order,” “account inquiries,” “identification” and “material customer rights and interests.” The testing is based on OWASP Mobile Top 10 and shall be documented.
- The company shall have in place a reexamination mechanism with regard to the test reports provided by a third-person testing laboratory, to ensure the testing items and contents are consistent. Such reexaminations shall be documented.
Application of new technologies (CC-21100, annual audit)
- Cloud services:
- If the company is using cloud services, it shall establish the cloud computing service operation security regulations, covering the method to select a cloud service provider, audit measures, backup system, service standards, including information security protection, and requirements on recovery time. When any requirement is not met, there should be additional compensatory measures.
- If the company is a cloud service provider, if shall establish the cloud computing service security control and management measures, covering compliance of law, authority control and management, allocation of rights and responsibilities, and information security protection. In the event of transmission of sensitive information, encryption Internet communication protocols such as HyperText Transfer Protocol Secure (HTTPS) and Secret File Transfer Protocol (SFTP) shall be used.
- Social media:
- The company shall establish the information security regulations for social media and the regulations for use of social media, covering:
- Define what business-related information may be shared on the social media for business purpose.
- Distinction between social media for personal or business purposes and important information about their use.
- Levels if risks in allowing employees to use social media shall be assessed, including information disclosure, social engineering, malware attacks, etc. and appropriate security control measures shall be taken.
- The company shall establish the information security regulations and management policies for operation of its official pages on the social media, which shall cover the following:
- If the official website contains a link that takes users away from the website to the social media, when a user clicks the link, there should be a pop-up window notifying the user he or she is leaving the company's website.
- The name and contact method of the securities firm should be specified on the social media page to distinguish it from the official page on the social media.
- An account authorization management system shall be established to control and monitor posts and inappropriate comments and irregularities shall be reported or handled.
- Mobile devices:
- The company shall establish the information securities regulations and management policies for mobile devices for business use, which shall cover the following:
- The management policies for mobile devices shall include applicable regulations for request, use, replacement and return of a mobile device.
- When the user is changed, the mobile device should be reconfigured or the original configurations should be cleared to ensure the security of the environment of the mobile device.
- It is advisable only official applications or such other applications approved in the tests and listed as downloadable by the company be installed on the device.
- The company shall establish the information security regulations and management policies for mobile devices owned by employee, which shall cover the following:
- The company shall ask employees to use their own mobile devices only for certain purposes.
- The company shall sign the agreement of employee's use of their own mobile device with the employee using their own device, with terms and conditions on limit on use and liabilities of the parties, etc.
- The company shall prohibit unauthorized connection of its internal information equipment to the Internet from mobile device owned by employee.
- The Internet of things:
The information security regulations and management policies for the Internet of things (IoT) shall be established, which shall cover the following:
- The management list of IoT equipment shall be created and updated at least once a year, and the initial password to the above equipment shall be changed.
- IoT equipment shall have the security update mechanism and shall be updated regularly (once a year). If a defect to the equipment is known and no update to correct the defect is possible, a compensatory control system shall be established.
- Network connection and services not needed for IoT equipment should be turned off. Use of public Internet connection is advised against.
- When signing a procurement contract with a supplier of IoT equipment, it is advisable the contract include terms on information security, a clear definition of related liabilities, e.g. service warrant, lifespan of security updates, voluntary notification of known loopholes in the information security equipment, and submission of appropriate response measures, to ensure no known security loopholes in the equipment.