Business Continuity Management (CC-20000,semi-annual audit)
- Failure recovery procedures (e.g. backup and recovery plans for computer equipment, communications equipment, power systems, databases, and computer operating systems etc.) shall be clearly formulated and reduced to writing.
- Failure recovery procedures shall be tested periodically; after testing, a review meeting shall be convened to consider ways to improve in response to deficiencies and a record thereof shall be retained.
- Securities brokers shall have backup measures in place for their trading servers.
- The company is advised to formulate a business continuity plan (covering such matters as activation conditions, participating personnel, emergency response procedures, backup procedures, maintenance schedules, education and training, descriptions of job duties, response plans of outside entities with which the company does business, and contract suitability), maintain measures necessary for the plan, and to prescribe the key operations and related impact analyses.
- The company shall adopt an information security reporting mechanism (e.g. formal reporting procedures and appointed contacts for information security incident reports). The company is advised to take appropriate corrective procedures for information security incidents relating to its information system and to retain related records.
- Any theft, alteration, damage, loss or divulgence of, or other information security incident involving, personal information shall be immediately reported by the companyto the TWSE (TPEx or Taiwan Securities Association)in writing, to be advised to the competent authority.
- The company shall establish clear operational procedures to defend and respond to distributed denial-of-service attack (DDoS).