Title:Establishing Information Security Inspection Mechanisms for Securities Firms(2023.08.23)
Categories:
|
Market Supervision > Regulation of Securities Firms
|
1
Risk Assessment and Management (CC-11000, applicable to securities firms placing orders via the Internet, but not applicable to those doing so via telephone or in the traditional manner; annual audit)
- All of the company's information assets within the scope of applicable information security risk and all owners of such assets shall be identified.
- The acceptable level of information security risk for each of the company's operations shall be determined.
- The company shall prepare written reports on information security risk evaluations. An evaluation shall be carried out at least once per year and all relevant records retained.
- The core system should be examined to determine a tolerable time period for interruption.
2
Information Security Policy: (CC-12000, annual audit)
- The company shall adopt an information security policy and set information operations security standards in accordance with its business needs and applicable laws and regulations.
- The following content shall be included in the information security policy:
- A definition of information security, information security objectives, and scope of information security.
- An explanation and description of the information security policy, information security principles and standards, and rules the employees must comply with.
- A description of the organizational unit in charge of the information security work, the unit's authority and duties, and segregation of said duties.
- Emergency procedures for reporting and handling an information security incident, along with related regulations.
- The information security policy adopted by the company shall be approved by its management, formally issued, observed by all of its employees, and notified to and observed by public and private authorities / institutions and providers of information services with network connection with the company.
- The company's information security policy shall be evaluated at least once per year to reflect the latest developments in laws, regulations, bylaws, technology, and business etc., and to ensure the efficacy of the company's information security operations. Records of the above evaluations shall also be retained.
- Information security policy evaluations shall be conducted in an independent and objective manner either internally or through an outsourced professional institution.
- The company shall have its chief information security officer or highest officer responsible for information security, and its board chairperson, general manager and chief audit officer jointly issue an internal control system statement on overall implementation of the information security measures during the previous year, in accordance with Article 24 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets, which will be submitted to the board of directors for approval. The statement shall be disclosed at the Market Observation Post System (MOPS) within three months after the closing of a fiscal year.
- The company shall take the required measures for tiered protection of information security by referring to the Establishing Information Security Inspection Mechanisms for Securities Firms – Schedule for Required Measures under Tiered Protection.
- The company shall introduce the core system to the information security management system according to its information security level, and this system must be validated by an impartial third party and the validity of validation should continue to be maintained.
3
Security Organization (CC-13000, annual audit)
- The company shall follow the requirements to have appropriate human resources and equipment available for planning and monitoring of the information security system and implementing the information security management operation. The job responsibilities of the relevant staff and their other concurrent responsibilities shall be in compliance with regulations.
- The company shall designate a vice president or high level supervisor to take overall charge of affairs pertaining to the promotion of information security policies and allocation of resources and, where necessary, may also establish an interdepartmental "Information Security Task Force." If the company satisfies certain conditions prescribed by the competent authority, it shall designate a person of or above the rank of vice president or with comparable functions to act concurrently as a chief information security officer to handle the aforementioned business.
- As necessary for the purposes of information security management and according to its information security level, the company shall specifically assign personnel or unit(s) to be responsible for planning and implementing information security work, and the information security staff and the supervisor(s) shall attend regular information security professional programs and trainings of at least 15 hours and pass the assessment in year. Other staff with access to information system shall attend information security awareness promotion programs of at least three hours in a year.
- If the company lacks sufficient information security manpower, skills, or experience, it may retain external scholars, experts, or professional private institutions and groups to provide information security consulting services.
- The authority and duties of the company's information processing department shall be clearly differentiated from those of its business units.
- The company shall request its information security personnel to receive and maintain such information security professional license adequate to its information security level.
4
Categorization and Control of Assets (CC-14000, semi-annual audit)
- Information assets shall be set out in a list; and the list shall be maintained.
- Rules shall be adopted for classification and labeling of information. (This is applicable to securities firms placing orders via the Internet, but not applicable to those doing so via telephone or in the traditional manner).
- The company shall complete grading of the information system it developed independently or developed by outsourced provider. The minimum grading standard is to have core and non-core systems for the information system. The information system must be examined at least once a year to determine the appropriateness of grading. (To become effective by end of January 2022.)
5
Personnel Security (CC-15000, semi-annual audit)
- Employees shall be required to maintain confidentiality in accordance with applicable laws and regulations, and shall sign a non-disclosure agreement for purposes of identifying the responsibility.
- When an employee leaves the company, the employee's ID code shall be canceled. His security pass, card, and related documents shall also be collected.
- The company shall regularly (at least annually) give information security lectures to all employees (for example, on information security policies, information security laws and regulations, information security operating procedures, and the proper use of information technology facilities) and retain records of the lectures.
- Employees shall receive information security training that is appropriate for their rank and complete the internally prescribed number of hours of training each year.
- The securities firms shall set up computer auditors. (This is applicable to securities firms placing orders via the Internet, but not applicable to those doing so via telephone or in the traditional manner).
6
Physical and Environmental Security (CC-16000, semi-annual audit )
- Access to computer server rooms shall be controlled (e.g. by card swiping technology).
- Computer server rooms shall be equipped with fire prevention facilities that shall be inspected regularly.
- Natural disasters like earthquakes and floods etc. shall also be factored in.
- The power supply system of computer equipment shall include uninterruptible equipment and a power generator.
- Procedures for retirement and disposal of equipment shall be established. Prior to their retirement and disposal, any confidential or sensitive data and licensed software shall be removed, overwritten for security purposes, or physically destroyed. It shall be ensured that data stored in computer hard drives and storage media cannot be restored after retirement and disposal. Records of the retirement and disposal shall be retained.
- The company shall periodically review the security authorization for access to information equipment rooms.
7
Management of Communications and Operations (CC-17000)
- Management of network security (CC-17010, applicable to securities firms placing orders via the Internet; items a, b and e are applicable to all securities firms, subject to monthly audit):
- Evaluating the security of network systems:
- The company shall regularly evaluate the security of its own network systems (e.g., its operating system, network servers, browsers, firewall, and anti-virus software) and retain related records.
- Security gaps in the network operating environment and operating system (including servers, portables, personal terminals, and computers available on business premises to investors for shared use) shall be repaired regularly or timely. The related documentation shall be retained.
- Matters bearing on computer network security (including the promotion of awareness of the information security policy, prevention of hacking, and anti-virus measures) shall be internally announced at any time and from time to time.
- A specially appointed employee shall be designated to be responsible for computer servers and important software and hardware.
- The company’s network shall be categorized, according to purpose of use, as DMZ, operating environment, testing environment and other environment, and there shall be an appropriate division mechanism between these environments (e.g. firewall, virtual local area network, and physical separation).
- Personal information and confidential and sensitive information shall be stored in a secured network area, and shall not be stored on the Internet or other non-secured areas.
- Only necessary services and programs may be available in the system, and unused services and functions should be made unavailable.
- The company shall establish the guidelines for remote connection management to control the internal operation within the organization through remote connection via the external network, keep the relevant maintenance records to be regularly reviewed by the proper supervisor.
- The company shall prevent use of the internal network from an unauthorized device.
- Managing firewall security:
- A firewall shall be established.
- A specially appointed employee shall be responsible for managing the firewall.
- Records of firewall entries, exits, and backup copies shall be retained for at least three years.
- Important website and server systems (e.g. online order placing systems) shall be isolated from the Internet by the firewall.
- The firewall system configuration shall be approved by the proper supervisor.
- The company shall regularly examine and maintain the setup of control of access to firewall on a yearly basis and keep the relevant examination records.
- No products that may jeopardize the national information security may be used on the equipment directly connecting to the networks used for the company’s transactions.
- Managing network transmission and connection security:
- Online order placing pages shall be protected by encryption (e.g. SSL).
- The company shall monitor and analyze on a daily basis records of log-in failures in connection with core system accounts and attempts to log in to non-customer accounts etc., promptly ascertain the reasons for any irregular log-ins upon discovery (e.g., three wrong attempts when entering a password, mass log-in failures within a certain time, irregular downloads by an account of applications for certificates or updated certificates), and retain the relevant records.
- When providing online order service, the company shall, upon login to place an order, implement multi-factor authentication, e.g., order certification, device identifier, OTP, biometric system etc.), to ensure login by the customer itself.
- Managing CA authentication and certificates:
- A securities firm placing orders online shall adopt certificate delivery procedures to prevent certificates from being obtained by persons other than their intended owners. When a customer downloads an application for a certificate or downloads updated certificate, multi-factor authentication must be performed (such as order certification, device binding, OTP, biometric and SIM authentication etc.), using factors different from those for log-in to identify the customer, and the relevant records must be retained..
- A securities firm placing orders online shall use an authentication system for all orders.
- Protecting against computer viruses and malicious software:
- Anti-virus software shall be installed. Its programs and virus definitions shall be given timely updates.
- Computer systems and data storage media (including emails) shall be regularly scanned for viruses.
- Anti-virus protection shall cover personal terminals (including portables and computers available on business premises to investors for shared use) and network servers.
- Emails from unknown sources shall not be opened. Special care shall be used in opening emails with attachments containing executable files.
- To prevent computer viruses from spreading and affecting computer security, the company shall adopt security rules governing email use and establish an email filter system.
- The company shall have online use control measures in place to prevent download of malware.
- The company shall detect links that connect to phishing websites and malicious websites and remind clients to be cautious about online phishing.
- The company is advised to conduct regular social engineering exercises on a yearly basis, and provide coaching to personnel who have opened an email or clicked a link they have been advised against opening or clicking, and keep relevant records.
- Inspecting the functions of online systems:
- The functions provided by online systems shall be inspected regularly and inspection records shall be kept.
- To monitor record and notify changes to web pages and programs of online systems available for external connection and use, and request the related staff to handle the matter.
- Regulations governing the company's provision of API services:
The application procedure, approval standards and relevant control measures and operations in regard to the company's provision of API services to customers are governed by the Directions for the Provision of Application Programming Interface (API) Service by Securities Firms to Customers
- Quality standards for services for placing orders via the Internet:
When providing services for placing orders via the Internet, the company needs to maintain the quality of customer services by establishing quality standards for placing orders via the Internet, which shall cover the key elements such as transaction security, stability and system availability, and customer services.
- Introduction of cyber-attack prevention system and security tests:
- The company shall perform infiltration tests on the core system that provides the Internet services regularly according to its information security level, and make improvements based on the test results. (To become effective by end of January 2022.)
- The company shall conduct regular information and communication security checkups according to its information security level, which should include inspection of network structure, inspection of malicious cyber activities, inspection of malicious activities at a user’s computer, inspection of malicious activities at the server, setup of directory server, and inspection of setup of firewall connection. (To become effective by end of January 2023.)
- The company shall establish an information and communication security threat detection management system according to its information security level, which should include collection of events, analysis of irregularities, detection of attacks, and determination of attack acts.
- The company shall establish an invasion detection and prevention system according to its information security level.
- The company shall set up firewalls for its applications according to its information security level.
- The company shall implement advanced prevention measures against continuous threats and attacks according to its information security level. (To become effective by end of January 2023.)
- Notice of log-in or irregularity (to become effective as of 28 February 2023):
It is advisable that the company give notice upon the log-in of a customer's account. In the event of the following irregularities, immediate notice shall be given to the customer, and relevant records retained, to prevent log-in by persons other than the customer:
- a wrong password is entered or the account is blocked
- an application for a certificate is made or a certificate is updated
- particulars are amended
- a log-in is attempted by an irregular source or act
- an application for changing or replacing the password is made
- Monitoring and warning of irregular IP log-ins
The company shall monitor, analyze, and document irregular IP connections and IP connections from unknown sources. If the following circumstances are discovered, it shall develop an alert mechanism and inspect it regularly to confirm its effective operation:
- Different accounts are logged in from an IP from the same source for a certain number of times.
- IThe same account is logged in from different countries within a certain time.
- An attempt at log-in from an irregular source (e.g. as blacklisted by the Financial Information Sharing and Analysis. Center (F-ISAC) or an overseas IP) is found.
- Computer system and operation safety management (CC-17020, semi-annual audit)
- Managing computer equipment:
The company shall enter into a written maintenance agreement with the maintenance service provider to establish the content of computer equipment maintenance work. A maintenance log shall be retained after the completion of maintenance. The information unit shall appoint personnel to conduct inspection together with the maintenance personnel from the maintenance service provider.
- Environment configuration and use authorization settings of the operating systems of computers:
- The environment configuration and use authorization settings of the operating systems of computers shall be approved by the relevant supervisor and implemented by system administrators.
- Appropriate backup measures shall be in place with respect to files in the computer system before and after they are modified.
- The company shall establish the guidelines for management of accounts with the highest system authorization level, covering both operating system and application system, and the approval of the proper supervisor is required for use of an account with the highest authorization level, and relevant records shall be retained.
- The company shall create and diligently implement the security configuration basis for personal computers, servers and network communication devices (e.g. length of a password, and how frequently a password may be changed).
- The company shall adopt a multiple-factor authentication method when using an account to log in a system via the Internet.
- Security management of computer media:
- Backup copies of important software, related documents, and inventory lists shall be made and stored in a separate safe location.
- If important backup files and software are stored in the same building that houses the computer center, they shall be kept locked in a fireproof room or in a cabinet that is both fireproof and earthquake-proof.
- Storage media used for backup materials shall be labeled with the name of the materials and their retention period.
- Handling procedures shall be established for media used to store confidential and sensitive information so as to prevent leaking or improper use of the information.
- To build a testing mechanism for data saving to verify integrity of backups and environmental suitability.
- Management of computer operation:
- Computer operators shall strictly adhere to prescribed operating procedures.
- Complete and accurate records shall be provided in an operating log, which shall be inspected and approved daily by a supervisor. The operator and the supervisor may not be the same person.
- Specially appointed personnel shall be responsible for inspecting information in the logs of the system console and for regularly submitting the information to a supervisor for inspection and approval.
- The securities broker shall have a computer system that has adequate capacity and is capable of meeting the needs of its business.
- The securities broker shall adopt mechanisms and procedures for regular evaluations (at least once a year) of the capacity of and security measures for its computer system, to be carried out either internally or outsourced to a professional institution. The system capacity shall be stress-tested regularly and records of the testing retained.
8
8. Access Control (CC-18000, monthly audit)
- The company shall adopt rules governing controlledaccess of the information system and request the employees to abide by the rules in writing, electronically, or via other means.
- Authorization management:
- There shall be a detailed written description of the controls on the access to and use of programs.
- In the event of a personnel change, their use authorization shall be promptly updated.
- Access to and use of programs and files shall be granted on the basis of authorization.
- Authorization for computer access and use by outsourcers shall be subject to appropriate control, and the authorization shall be promptly reclaimedat the end of the outsourcing period.
- Outsourcers deployed to the company's premises shall be subject to the company's security management, and security control measures shall be applied if they wish to use internal network resources (e.g., where such personnel use a proxy server or establish a separate network, it is advisable that such sever or network be physically isolated from the internal network).
- Regular examination (at least semi-annually) and reconsideration shall be conducted with regard to the authorization of users who have not used the system for a long time (excluding users who are customers).
- Password Management:
- Users making use of the system for the first time may not operate the system until they have changed their initial password.
- Passwords shall be saved in a randomized format as generated using a secure and uncracked public algorithm (such as hash algorithm or other irreversible algorithms) and shall be encrypted.
- A user or customer who forgets his password shall go through a rigorous identity check of the company (such as verification of particulars with customer service, OTP, over-the-counter service etc.) before being allowed to use the system again.
- Initial passwords shall be generated randomly and have no connection with the user's or customer's identity. (This item is not applicable in the case of delivery of an electronic password slip by customized means.)
- The login session shall be terminated, the account blocked for at least 15 minutes against further login attempts, and relevant records retained, when a password is inputted incorrectly five times. Upon receipt from a customer of an application for unlocking, the company shall verify the customer's identification (such as by verifying its particulars with customer service, OTP, over-the-counter service etc.) and retain relevant records before the company may entertain the application.
- Except for voice-mail ordering systems, the company shall use strong passwords (at least six characters in length with alphanumeric characters or other symbols) and exercise control, and further encourage customers to change their passwords at least once every three months. The company shall take proper measures if a customer's password has not been changed for over a year or the password changed is the same as the previous set. Except for customers, other users in the company must change their passwords at least once every three months. (To become effective as of 30 November 2022)
- The company's current website, servers, Network Neighborhood, routers, switches, operating systems, databases, and other software and hardware equipment shall be password-protected. Default settings (e.g. "administrator," "root," "sa") or simple strings (e.g. "1234") shall be avoided as passwords. The company shall not fail to set administrator access privileges.
- Where a customer applies for electronic trading, the company may deliver an electronic password slip by general or customized electronic means by following the description below:
- In the case of delivery of an electronic password slip by general electronic means, it shall send an OPT (One Time Password) to the mobile phone number left by the customer when the customer opens an account, and shall send an encrypted electronic password slip by electronic means to the electronic mailbox advised by the customer. With respect to such procedure, records of the relevant systems shall be retained.
- In the case of delivery of an electronic password slip by customized means, the operating procedure for determination of delivery of electronic transaction password and the security control method shall be established, and the identification of the person to whom the electronic transaction password is delivered shall be verified to be the intended person, and relevant records shall be retained.
- Management of computer audit logs:
- Audit logs for important systems (like server login systems and online order systems) shall include user ID numbers, login dates and times, computer identification information, and IP addresses etc.
- Specially appointed personnel shall be assigned to regularly inspect the computer audit logs of important systems above.
- With respect to the relevant records retained, there should be appropriate procedures to ensure collection and protection of digital evidence, and the records shall be kept for at least three years.
- Data Input Management:
- The inputting or alteration of high-security or important data may be undertaken only with approval from the supervisor with proper authority.
- A log shall be kept of the data that is input or altered along with the names and job titles of the people who perform the inputting or alteration.
- Important data (e.g. password files) that are highly confidential shall be saved in a randomized format.
- If the company is a public company, it shall incorporate the Guidelines for Online Filing of Public Information by Public Companies into its internal control system and carry out information reporting in accordance with those directions.
- Where an electronic certificate, IC card, other form of certificate chip card, or other certificate carrier is used to represent the company in transmitting signatures (e.g. the Market Observation Post System, the Securities Firm Filings Window, or Official-Document Exchange Center), specially appointed personnel shall be responsible for maintaining custody of the certificate carriers and establishing a log book. Procedures governing the use and custody of account numbers and passwords shall be adopted and implemented.
- When a certificate carrier is used to represent the company in transmitting signatures, if the server side is a securityfirm application system (e.g. Electronic Reconciliation Statement System), a computer audit log shall be kept for the same period as the data in each operation.
- The personal information of customers and the company's internal personnel shall be properly handled in accordance with the Personal Information Protection Act.
- The company shall at regular or irregular intervals audit the management of information defined as personal information by the Personal Information Protection Act.
- Any updates, edits, or strike-outs of the aforementioned personal information shall be reported for recordation, and a complete and accurate log shall be maintained showing the content of the updates, edits, strike-outs, the names of the persons making them and the times at which they were made.
- As the company needs to collect, process, and transmit internationally personal data for business purposes, the company shall adopt"The Partition of Rights and Liabilities with Regard to Maintenance of Secrecy and Damages with Software/Hardware Manufacturers."
- Management of Data Output:
- Whether statements aregenerated and delivered to the user units in a timely manner.
- Whether appropriate control procedures arein place for the printing out or browsing of confidential or sensitive statements.
- There shall be an encrypted transmission mechanism (e.g. SSL) for investors searching personal information on the company website.
- With regard to the transmission of reports on execution of electronic and non-electronic trades, the company shall handle the names, account numbers, credit account numbers and other confidential and sensitive information in accordance with the Principles of the Classification and Concealment of Confidential and Sensitive Information.
9
Systems Development and Maintenance (CC-19000, semi-annual audit)
- The information security requirements shall be included in the analysis and specifications when an application system is being planned and analyzed.
- Whether input s are verified to confirm their accuracy.
- Legal copyrighted software shall be used.
- Contracts shall be entered into for outsourced work. The terms of contracts entered into for outsourced work shall include an information security agreement and the right to audit the outsourcer's information security.
- When a completed program requires maintenance, it must be carried out in accordance with formally approved procedures.
- All documents and handbooks shall be properly maintained and controlled.
- Specially appointed personnel shall be responsible for maintaining application systems.
- Management of changes to application systems:
- Files that contain programs, data, and job control commands for formal and test operations shall be stored separately.
- When a program is modified, its documentation shall be promptly updated.
- The company shall regularly (at least semi-annually) scan its information system for vulnerabilities. When potential vulnerabilities are identified, it shall evaluate the associated risks or install software patches and retain a record (applicable to securities firms placing orders online, but not applicable to those doing so via telephone or in the traditional manner).
- Source code security regulations (applicable to securities firms placing orders on the Internet, not those placing voicemail or traditional orders):
- Malware and other security holes shall be avoided in a program.
- A program shall use a comprehensive validation mechanism that is both appropriate and valid to ensure completeness.
- A corresponding updated version of a program shall be made available in the event of an update to the library cited.
- A program shall conduct security checks and provide a protection mechanism against injection attacks in respect of character strings entered by users.
- Where a mobile application developed by an outsourcer involves transmission of sensitive data (such as a customer's account and password or transaction data etc.), the company shall check and verify whether the parties to which the data are transmitted are appropriate and shall retain relevant records.
- The provider of a program shall be requested to comply with the security measures in the preceding five paragraphs ((a), (b), (c), (d), €) if no source code of the program is available.
- Mobile application security control (applicable to securities firms placing orders on the Internet, not those placing voicemail or traditional orders):
- Launch of a mobile application:
- A mobile application shall be launched in a mobile application store or on a mobile application website with a reliable source. The sensitive information to be accessed, mobile device resources, and proclaimed rights and purposes shall be specified upon said launch.
- The name, version and download location of a mobile application shall be provided on the official website.
- A fake mobile application detection mechanism shall be in place to protect customers’ rights and interests.
- Conformance of authority required for a mobile application to services offered shall be ascertained before launch. The initial launch or a change of authority is subject to consent of the data security and legal compliance units and shall be documented, to facilitate general assessment as to whether the duty to notify under the Personal Data Protection Act is satisfied.
- Protection of sensitive information:
- When a mobile application transmits and stores sensitive data, a certification, hash or encryption mechanism shall be in place to ensure safe transmission and storage, and the data in shall be appropriately de-identified when in use. Relevant access logs shall be protected to prevent unauthorized access.
- A risk alert shall be issued to users if a detection mobile device is allegedly unlocked (such as by rooting, jailbreaking, USB debugging etc.) upon activation of a mobile application.
- Mobile application testing:
- In respect of mobile applications used by investors, data security testing shall be conducted by a third-person testing laboratory accredited by the Taiwan Accreditation Foundation, and shall be passed, before initial launch and each year. Such testing shall cover items listed in the guidelines for vetting the security of mobile applications published by the Mobile Application Security Alliance, the testing unit commissioned by the Industrial Development Bureau, Ministry of Economic Affairs. If it is necessary to update the launch within a year after laboratory testing is passed, material updates are subject to outsourced or self testing prior to each launch. Material updates refer to functional changes to “trading order,” “account inquiries,” “identification” and “material customer rights and interests.” The testing is based on OWASP Mobile Top 10 and shall be documented.
- The company shall have in place a reexamination mechanism with regard to the test reports provided by a third-person testing laboratory, to ensure the testing items and contents are consistent. Such reexaminations shall be documented.
10
10. Business Continuity Management (CC-20000, semi-annual audit)
- Failure recovery procedures (e.g. backup and recovery plans for computer equipment, communications equipment, power systems, databases, and computer operating systems etc.) shall be clearly formulated and implemented, and records shall be made.
- Failure recovery procedures shall be tested periodically; after testing, a review meeting shall be convened to consider ways to improve in response to deficiencies and a record thereof shall be retained.
- Securities brokers shall have backup measures in place for their trading servers.
- The company shall formulate a business continuity plan (covering such matters as activation conditions, participating personnel, emergency response procedures, backup procedures, maintenance schedules, education and training, descriptions of job duties, response plans of outside entities with which the company does business, and contract suitability), maintain measures necessary for the plan, and to prescribe the key operations and related impact analyses, followed by business continuity operation exercise, that will take place regularly, according to its information security level. (To become effective by end of January 2022.)
- The company shall adopt an information security reporting mechanism (e.g. formal reporting procedures and appointed contacts for information security incident reports). In the event of information security and service irregularities relating to information systems, the company shall apply the Operational Guidelines on Reporting of Information and Communication Security Related Events in Securities and Futures Markets, take appropriate corrective procedures, and retain related records.
- Any theft, alteration, damage, loss or divulgence of, or other information security incident involving, personal information shall be immediately reported by the company to the TWSE (TPEx or Taiwan Securities Association) in writing, to be advised to the competent authority.
- The company shall establish clear operational procedures to defend and respond to distributed denial-of-service attack (DDoS).
- The company shall proceed with the following information security matters:
- designate personnel and departments to bring together and coordinate and liaise with all related departments;
- periodically evaluate core operating systems and equipment, take appropriate measures in response to evaluation results, and make a report to the board of directors, to ensure capability for business continuity and operational resilience;
- disclose in sustainability reports, annual reports, or financial reports or on the company website the resources required for the company to continue with the operation of core operating systems and equipment within the year and the relevant implementation of annual budgets or education and training programs, etc.
11
Compliance (CC-21000, semi-annual audit)
- A company shall regularly (at least annually) carry out an information security audit (either internally or outsourced to a professional institution) and keep an audit log.
- Whether the company monitors improvement made in response to the aforementioned information security audits (including audit summaries, scope of audits, description of deficiencies, and recommendations for improvement).
12
Application of new technologies (CC-21100, annual audit)
- Cloud services:
- If the company is using cloud services, it shall establish the cloud computing service operation security regulations, covering the method to select a cloud service provider, audit measures, backup system, service standards, including information security protection, and requirements on recovery time. When any requirement is not met, there should be additional compensatory measures.
- If the company is a cloud service provider, if shall establish the cloud computing service security control and management measures, covering compliance of law, authority control and management, allocation of rights and responsibilities, and information security protection. In the event of transmission of sensitive information, encryption Internet communication protocols such as HyperText Transfer Protocol Secure (HTTPS) and Secret File Transfer Protocol (SFTP) shall be used.
- Social media:
- The company shall establish the information security regulations for social media and the regulations for use of social media, covering:
- Define what business-related information may be shared on the social media for business purpose.
- Distinction between social media for personal or business purposes and important information about their use.
- Levels if risks in allowing employees to use social media shall be assessed, including information disclosure, social engineering, malware attacks, etc. and appropriate security control measures shall be taken.
- The company shall establish the information security regulations and management policies for operation of its official pages on the social media, which shall cover the following:
- Understand the privacy policy applicable to the social media on which it maintains its official page, and review the changes to its privacy policy and assess the risks regularly (once a year).
- If the official website contains a link that takes users away from the website to the social media, when a user clicks the link, there should be a pop-up window notifying the user he or she is leaving the company's website.
- The name and contact method of the securities firm should be specified on the social media page to distinguish it from the official page on the social media.
- An account authorization management system shall be established to control and monitor posts and inappropriate comments and irregularities shall be reported or handled.
- Mobile devices:
- The company shall establish the information securities regulations and management policies for mobile devices for business use, which shall cover the following:
- The management policies for mobile devices shall include applicable regulations for request, use, replacement and return of a mobile device.
- When the user is changed, the mobile device should be reconfigured or the original configurations should be cleared to ensure the security of the environment of the mobile device.
- It is advisable only official applications or such other applications approved in the tests and listed as downloadable by the company be installed on the device.
- The company shall establish the information security regulations and management policies for mobile devices owned by employee, which shall cover the following:
- The company shall ask employees to use their own mobile devices only for certain purposes.
- The company shall sign the agreement of employee's use of their own mobile device with the employee using their own device, with terms and conditions on limit on use and liabilities of the parties, etc.
- The company shall prohibit unauthorized connection of its internal information equipment to the Internet from mobile device owned by employee.
- The Internet of things:
The information security regulations and management policies for the Internet of things (IoT) shall be established, which shall cover the following:
- The management list of IoT equipment shall be created and updated at least once a year, and the initial password to the above equipment shall be changed.
- IoT equipment shall have the security update mechanism and shall be updated regularly (once a year). If a defect to the equipment is known and no update to correct the defect is possible, a compensatory control system shall be established.
- Network connection and services not needed for IoT equipment should be turned off. Use of public Internet connection is advised against.
- When signing a procurement contract with a supplier of IoT equipment, it is advisable the contract include terms on information security, a clear definition of related liabilities, e.g. service warrant, lifespan of security updates, voluntary notification of known loopholes in the information security equipment, and submission of appropriate response measures, to ensure no known security loopholes in the equipment.
- When procuring IoT equipment, the company is advised to make it a priority to procure such IoT equipment with information security certification.
- The company shall regularly conduct information security education and trainings for users and management personnel of IoT equipment.
- Remote Work:
- To mitigate data breach risks, the company shall install information security related softwares on remote work equipment to control access authority of applications.
- The company shall specify the authority of work-from-homers with regard to system functions according to the scope of business and control authority.
- The company shall establish the restrictions on the time of connection and relevant regulations based on the duties performed by the employees.
- The company shall keep track of remote employees' user log-ins to systems, operation of computer equipment, and transaction records.
- The company shall adopt multi-factor authentication (employee account password, dynamic password, one-time password) and create safe remote network channels to mitigate risk of forgery or unauthorized use of the relevant account passwords.
- The company shall prevent malicious or unauthorized connection and establish remote account access rules in accordance with the Principle of Least Privilege, PoLP.
- The company shall regularly update the security control measures concerning connection to the virtual private network, VPN, and other remote access systems.
- The company shall develop measures to protect client privacy and the security of client data and records.
- The company shall have in place an information security mechanism to strengthen promotion of information security and educate employees work remotely on cyber vigilance.
13
Others (CC-22000, semi-annual audit)
- Provision of information (CC-22010)
- All important laws, regulations, by-laws, and notices shall be promptly posted on a public bulletin board.
- The listed company's operating data and prospectus shall be displayed at the securities investment data counter for customer access.
- The business hall shall install a Market Observation Post System for customers to operate on their own.
- A reading room shall not limit its users and shall not charge fees.
- No dedicated bidding terminal may be installed in the reading room.
- There shall not be any contract signing with customers for account openings, accepting of commission for the buying and selling of securities, or any other similar securities business in the reading room.
- Real time stock market trading data posted on the website shall be provided by a data company that has entered into a contract with the Taiwan Stock Exchange Corporation.
- Information provided to the public on the website shall be inspected regularly. Information that is confidential or sensitive shall be promptly removed. The Rules Governing Securities Firms Recommending Trades in Securities to Customers shall be followed, and no information that falls under the scope of a securities investment consulting enterprise may be made public in the name of the company on behalf of such enterprise.
- Securities firms making recommendations on an online platform shall set up a password in order to control customers with access to the research reports on each stock. Customers shall sign a contract for recommendations with the securities firms (investors of domestic and foreign institutions are exempted).
14
Co-location service management (CC-23000), applicable to securities firm using the co-location service (monthly or semi-annual audit)
- For equipment and other assets entering and exiting the host co-located server room, the company shall make an application in the Host Co-Location User Service System, cooperate in inventory checks, and retain relevant records (semi-annual audit).
- The company shall cooperate by conducting regular inventories of the host and web equipment in the cabinets in the host co-located server room (semi-annual audit).
- The company’s software and hardware equipment placed in the host co-located server room shall have complete information security protection measures in place in accordance with the Establishing Information Security Check Mechanism for Securities Firms (monthly or semi-annual audit).