|
Article 2
|
(Applicability and Parties Governed)
Parties governed by these guidelines include securities firms, futures commission merchants, securities investment trust enterprises and securities investment consulting enterprises and are divided into two types as below:
- Type 1:
organizations appointing a chief information security officer in accordance with Article 36-2 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets
- Type 2:
non-type 1 organizations
- If the data security management policy of a Taiwan subsidiary or branch of a foreign group is controlled and established by the foreign parent company or head office, the relevant control measures established or set up by the parent company or head office prevail if they provide for better regulation. Taiwan laws and regulations shall be observed if no such measures are in place.
- The reference guidelines below address matters to be observed by types 1 and 2 organizations unless otherwise specially remarked.
|
Info
|
|
Article 3
|
(Definitions)
- Information and communication system:
A system used for collecting, controlling, transmitting, storing, circulating, deleting information or otherwise processing, using, and sharing information
- Access:
Access of an information asset by various means, including acquisition, use, safekeeping, inquiry, revision, adjustment, destruction, etc.
- Network equipment:
Components for network communication which are required for transmitting data, programs, services, and multimedia, such as firewalls, routers, switches, etc., as also included in the network diagram of an organization.
- Information and communication security event:
An event where a system, service, or network is found upon evaluation to show signs of a possible breach of the information and communication security policy or failure of a protective measure, which impacts the operation of the information and communication system, constituting a threat against the information and communication security policy.
- Information asset:
An asset pertaining to the processing of information, including hardware, software, data, documents, and personnel, etc., such as information of the operating system, applications, and other software of a server or a user’s computer.
- An information service provider refers to a vendor that meets the selection criteria outlined in the “ Reference Guidelines on the Supply Chain Risk Management of Service Enterprises in Securities and Futures Markets.”
|
|
|
Article 5
|
(Network Segmentation)
- Work areas shall be divided and isolated by network segmentation to ensure network infrastructure security.
- For the purpose of maintaining business operation, the network shall be segmented into, for example, Delimitarised Zone (DMZ), Production (Prod.), Unit Test (UT) or User Acceptance Test (UAT), and others.
- An organization shall define the extranet and intranet. The extranet is connected to the Internet, while the intranet is a server-equipped area between personnel and internal services of the organization. Traffic from the extranet to the intranet is subject to access control and is restricted to official use by organizational personnel or approved use by information service providers. This is to prevent unauthorized services from entering..
- Segregation by a virtual local area network, or VLAN, is advised for intranet segments of an organization. The intranet may be segmented according to the internal units, departments, business natures, etc. of the organization, with restrictions imposed on access among different VLANs.
- An organization shall isolate services whose access is restricted and specific services by appropriate means. Information personnel shall, depending on the way of segregation, review the firewall rules or access control list (ACL) periodically.
|
|
|
Article 7
|
(Wireless Networks)
- Security protocols in force as have been publicly ratified and containing no vulnerability shall apply to the protection of access to wireless networks which an organization makes available to internal personnel. These protocols should follow the organization's internal network management procedures and be restricted to official use by organizational personnel or approved use by information service providers.
- If an organization provides external wireless network access, its access protection should also use security protocols that are publicly ratified and contain no vulnerabilities.
- An organization shall formulate wireless network password rules to minimize the risk of cracking.
|
|
|
Article 8
|
(Access by External Equipment of the Intranet)
If an organization permits personnel or information service providers to use external equipment to access the intranet, it shall submit an application and inspect the security and authorization of the equipment and also restrict access.
|
|
|
Article 12
|
(Outsourcing of Network Equipment Management)
An organization shall follow the Reference Guidelines on the Information Systems and Service Supply Chain Risk Management of Service Enterprises in Securities and Futures Markets if it is to outsource the maintenance and operation or management of all its network equipment to information service providers.
|
|
|
Article 16
|
(Cyber-threat Protection Mechanism)
- A type 1 organization shall develop a cyber-threat protection mechanism to maintain business operation, e.g., intrusion detection and prevention mechanism. A type 2 organization shall evaluate such development.
- A securities firm or futures commission merchant with online ordering service or an official website shall develop a protective mechanism against distributed denial-of-service attacks.
- A web application firewall shall be developed in the event an information and communication system offering external services is available.
|
|