| 4 |
Categorization and Control of Assets (CC-14000, semi-annual audit)
- Information assets shall be inventorized, include such categories as software, hardware, sites, and data etc., and be maintained.
- Rules shall be adopted for classification and labeling of information. (This is applicable to securities firms placing orders via the Internet, but not applicable to those doing so via telephone or in the traditional manner).
- The company shall complete grading of the information and communication systems it developed independently or developed by outsourced provider. The minimum grading standard is to have core and non-core systems for the information and communication systems. The information and communication systems must be examined at least once a year to determine the appropriateness of grading.
- The company shall have regulations governing retention periods for information and documents relating to information assets, and have these documents deleted and destroyed after expiration of the retention period.
- The company shall avoid using products jeopardizing the information and communication security of the country.
|
|