4
|
Categorization and Control of Assets (CC-14000, semi-annual audit)
- Information assets shall be set out in a list; and the list shall be maintained.
- Rules shall be adopted for classification and labeling of information. (This is applicable to securities firms placing orders via the Internet, but not applicable to those doing so via telephone or in the traditional manner).
- The company shall complete grading of the information system it developed independently or developed by outsourced provider. The minimum grading standard is to have core and non-core systems for the information system. The information system must be examined at least once a year to determine the appropriateness of grading. (To become effective by end of January 2022.)
|