|
Article 2
|
Scope of Evaluation
- Securities firms shall, in accordance with the "Establishing Information Security Inspection Mechanisms for Securities Firms–Schedule for Required Measures under Tiered Protection," develop an assessment plan for their overall information and communication systems (including self-developed and outsourced systems) on the basis of these Operating Procedures. To ensure business continuity and protect client rights and interests, securities firm shall classify information assets according to their importance and impact level, conduct information and communication security assessments regularly and by classification, present an "information and communication system information and communication security assessment report," implement corrective and preventive measures, and perform regular follow-up reviews. A foreign securities firm may follow its own information security checkup operating rules if they are better; otherwise, they shall comply with domestic regulations. Securities firms operating on a concurrent basis shall follow the rules applicable to their primary line of business; in the absence of such rules, these regulations shall apply.
- The assessment plan and results shall be submitted to the board of directors or approved by a managerial department authorized by the board, provided in the event of a Taiwan branch of a foreign securities firm, such may be carried out by the responsible person of the branch. The assessment plan shall be reviewed at least once every three years.
|