• Font Size:
  • S
  • M
  • L

Article NO. Content

Title:

Operating Procedures for the Assessment of Information and Communication Security of Information and Communication Systems by Securities Firms  CH

Announced Date: 2025.07.03 
Article Content Content Search Article No. Search Attachment Legislative History Chinese
Article 4     Information and Communication Security Assessment
  1. Information architecture review
    1. Review the network architecture configuration, appropriateness of the information equipment security management rules etc., to assess potential risks and take necessary countermeasures.
    2. Review the maximum impact of single points of failure and risk-bearing capacity.
    3. Review the adequacy of measures taken in connection with business continuity.
    4. Timely refer to information security threat intelligence and protection recommendations published by the Financial Information Sharing and Analysis Center (F-ISAC) and implement relevant measures.
    5. Review whether servers are segmented by network segments according to the classification of information and communication systems, system functions, or service characteristics.
    6. Review whether boundary protection equipment (including gateways, routers, firewalls, protective devices etc.) and external network connection points have firewalls to control data transmission and resource access between the intranet and the internet, and restrict unnecessary connected parties and connection services.
  2. Network activity review
    1. Review access logs and account authorizations for network equipment, servers, and IoT equipment to identify anomalies and verify alert mechanisms.
    2. Review monitoring logs of information security equipment (such as firewalls, intrusion detection or prevention systems, anti-malware, data leakage prevention, spam filtering, phishing detection, web protection etc.) to identify anomalies and verify alert mechanisms.
    3. Examine the network for abnormal connections or unusual Domain Name System Server (DNS Server) queries, or monitor incoming and outgoing traffic, and cross-check against known malicious IPs, proxy servers, or patterns consistent with malicious network behavior.
    4. Review whether measures are established for detecting and handling counterfeit websites.
  3. Inspection of network equipment, servers, endpoint and communication, and IoT equipment etc.
    1. Conduct vulnerability scanning and remediation operations for network equipment, servers, endpoint equipment, and IoT equipment etc.
    2. Inspect terminals and servers for the presence of malware.
    3. Inspect the complexity of system account login passwords; review the storage protection mechanisms and access controls for external connection passwords (such as File Transfer Protocol (FTP) connections, database connections etc.).
    4. When performing IoT equipment inspections, follow the Establishing Information Security Inspection Mechanisms for Securities Firms
  4. The following shall be carried out in regard to network equipment, servers, and IoT equipment etc. that are accessible directly from the internet:
    1. Conduct penetration testing.
    2. Perform source code scanning or black-box testing of server application systems.
    3. Review access authorizations for server directories and web pages.
    4. Verify whether anti-tampering mechanisms for external websites and web pages are established.
    5. Inspect the systems for abnormal authorized connections, unusual CPU resource consumption, and anomalous database access activities etc.
  5. Client-side application testing
    6. Securities firms and client-side applications shall use encrypted connections. The following tests shall be conducted on applications delivered by securities firms to clients:
    1. Vulnerability scanning where HTTPS or SFTP is provided.
    2. Source code scanning or penetration testing.
    3. Sensitive data protection testing (such as memory, storage media).
    4. Key protection testing.
    5. Implementation of the principle of least privilege, allowing users only the authorized access and control necessary to perform their assigned tasks and business functions.
  6. Security configuration review
    1. Review server settings (such as Active Directory) related to password principles and account lockout principles.
    2. Examine whether the firewall has security-risk ports or unnecessary ports open, and whether connection settings have security vulnerabilities.
    3. Review system access restrictions (such as Access Control Lists) and privileged account management.
    4. Examine update settings and status of operating systems, antivirus software, office software, and application software etc.
    5. Review security measures for key storage protection mechanisms and access controls etc.
    6. Verify that user identity is authenticated in the event of connection from the internet to the company's intranet.
  7. Measures against breaches of the reliability and security of information and communication systems:
    1. The company shall develop relevant countermeasures to enhance the reliability of its information and communication systems. These measures shall include:
      1. Enhancing hardware reliability: Including countermeasures to prevent hardware failures and the setup of backup hardware equipment.
      2. Enhancing software system reliability: Including measures to improve software development quality and software maintenance quality.
      3. Measures to improve operational reliability.
      4. Early detection and early recovery measures against failures.
      5. Disaster response measures.
      6. A verification plan must be established for system backup media for backups, and the reliability of the backup media and the integrity of information must be validated.
    2. The company shall develop relevant countermeasures against information and communication security breaches. These measures shall include:
      1. Data protection: Including measures to prevent leakage, or destruction or tampering, along with corresponding testing measures.
      2. Prevention of illegal use: Including access authorization verification, restriction of application scope, prevention of illegal forgery, limitation of internet access, and detection and response measures.
      3. Prevention of illegal applications: Including defense, detection, and recovery measures.
    3. Review whether the information and communication systems comply with the requirements of the Establishing Information Security Inspection Mechanisms for Securities Firms and related directives of competent authorities.
    4. Review whether the SWIFT system of the information and communication systems complies with the Customer Security Programme (CSP) published by SWIFT and requirements of related directives of the Taiwan Stock Exchange and the Taiwan Securities Association. In the event of a conflict with the information and communication security assessment procedure hereunder, the SWIFT CSP shall take precedence.
    Category I, Category II, and Category III information and communication systems shall all be incorporated into the information security assessment procedure based on the assessment items mentioned in the preceding paragraph, to ensure the effectiveness of the assessment.

Interpretation: