8 |
8. Access Control (CC-18000, monthly audit)
- The company shall adopt rules governing controlledaccess of the information system and request the employees to abide by the rules in writing, electronically, or via other means.
- Authorization management:
- There shall be a detailed written description of the controls on the access to and use of programs.
- In the event of a personnel change, their use authorization shall be promptly updated.
- Access to and use of programs and files shall be granted on the basis of authorization.
- Authorization for computer access and use by outsourcers shall be subject to appropriate control, and the authorization shall be promptly reclaimedat the end of the outsourcing period.
- Outsourcers deployed to the company's premises shall be subject to the company's security management, and security control measures shall be applied if they wish to use internal network resources (e.g., where such personnel use a proxy server or establish a separate network, it is advisable that such sever or network be physically isolated from the internal network).
- Regular examination (at least semi-annually) and reconsideration shall be conducted with regard to the authorization of users who have not used the system for a long time (excluding users who are customers).
- Password Management:
- Users making use of the system for the first time may not operate the system until they have changed their initial password.
- Passwords shall be saved in a randomized format as generated using a secure and uncracked public algorithm (such as hash algorithm or other irreversible algorithms) and shall be encrypted.
- A user or customer who forgets his password shall go through a rigorous identity check of the company (such as verification of particulars with customer service, OTP, over-the-counter service etc.) before being allowed to use the system again.
- Initial passwords shall be generated randomly and have no connection with the user's or customer's identity. (This item is not applicable in the case of delivery of an electronic password slip by customized means.)
- The login session shall be terminated, the account blocked for at least 15 minutes against further login attempts, and relevant records retained, when a password is inputted incorrectly five times. Upon receipt from a customer of an application for unlocking, the company shall verify the customer's identification (such as by verifying its particulars with customer service, OTP, over-the-counter service etc.) and retain relevant records before the company may entertain the application.
- Except for voice-mail ordering systems, the company shall use strong passwords (at least six characters in length with alphanumeric characters or other symbols) and exercise control, and further encourage customers to change their passwords at least once every three months. The company shall take proper measures if a customer's password has not been changed for over a year or the password changed is the same as the previous set. Except for customers, other users in the company must change their passwords at least once every three months. (To become effective as of 30 November 2022)
- The company's current website, servers, Network Neighborhood, routers, switches, operating systems, databases, and other software and hardware equipment shall be password-protected. Default settings (e.g. "administrator," "root," "sa") or simple strings (e.g. "1234") shall be avoided as passwords. The company shall not fail to set administrator access privileges.
- Where a customer applies for electronic trading, the company may deliver an electronic password slip by general or customized electronic means by following the description below:
- In the case of delivery of an electronic password slip by general electronic means, it shall send an OPT (One Time Password) to the mobile phone number left by the customer when the customer opens an account, and shall send an encrypted electronic password slip by electronic means to the electronic mailbox advised by the customer. With respect to such procedure, records of the relevant systems shall be retained.
- In the case of delivery of an electronic password slip by customized means, the operating procedure for determination of delivery of electronic transaction password and the security control method shall be established, and the identification of the person to whom the electronic transaction password is delivered shall be verified to be the intended person, and relevant records shall be retained.
- Management of computer audit logs:
- Audit logs for important systems (like server login systems and online order systems) shall include user ID numbers, login dates and times, computer identification information, and IP addresses etc.
- Specially appointed personnel shall be assigned to regularly inspect the computer audit logs of important systems above.
- With respect to the relevant records retained, there should be appropriate procedures to ensure collection and protection of digital evidence, and the records shall be kept for at least three years.
- Data Input Management:
- The inputting or alteration of high-security or important data may be undertaken only with approval from the supervisor with proper authority.
- A log shall be kept of the data that is input or altered along with the names and job titles of the people who perform the inputting or alteration.
- Important data (e.g. password files) that are highly confidential shall be saved in a randomized format.
- If the company is a public company, it shall incorporate the Guidelines for Online Filing of Public Information by Public Companies into its internal control system and carry out information reporting in accordance with those directions.
- Where an electronic certificate, IC card, other form of certificate chip card, or other certificate carrier is used to represent the company in transmitting signatures (e.g. the Market Observation Post System, the Securities Firm Filings Window, or Official-Document Exchange Center), specially appointed personnel shall be responsible for maintaining custody of the certificate carriers and establishing a log book. Procedures governing the use and custody of account numbers and passwords shall be adopted and implemented.
- When a certificate carrier is used to represent the company in transmitting signatures, if the server side is a securityfirm application system (e.g. Electronic Reconciliation Statement System), a computer audit log shall be kept for the same period as the data in each operation.
- The personal information of customers and the company's internal personnel shall be properly handled in accordance with the Personal Information Protection Act.
- The company shall at regular or irregular intervals audit the management of information defined as personal information by the Personal Information Protection Act.
- Any updates, edits, or strike-outs of the aforementioned personal information shall be reported for recordation, and a complete and accurate log shall be maintained showing the content of the updates, edits, strike-outs, the names of the persons making them and the times at which they were made.
- As the company needs to collect, process, and transmit internationally personal data for business purposes, the company shall adopt"The Partition of Rights and Liabilities with Regard to Maintenance of Secrecy and Damages with Software/Hardware Manufacturers."
- Management of Data Output:
- Whether statements aregenerated and delivered to the user units in a timely manner.
- Whether appropriate control procedures arein place for the printing out or browsing of confidential or sensitive statements.
- There shall be an encrypted transmission mechanism (e.g. SSL) for investors searching personal information on the company website.
- With regard to the transmission of reports on execution of electronic and non-electronic trades, the company shall handle the names, account numbers, credit account numbers and other confidential and sensitive information in accordance with the Principles of the Classification and Concealment of Confidential and Sensitive Information.
|
|