Title:Reference Guidelines on the Supply Chain Risk Management of Service Enterprises in Securities and Futures Markets(2022.04.26)
Categories:
|
Information Operations
|
Chapter 1 General Provisions
Article 1
(Purpose)
For the purpose of assisting securities firms, futures commission merchants, and securities investment trust and securities investment consulting enterprises in managing the risk of the information service supply chain, these reference guidelines on supply chain risk management are establisheddraftedto address issues concerning the selection and management of, and termination and rescission of contracts with information service suppliers in accordance with the issues mentioned within the "Financial Data Security Action Plan" published by the Financial Supervisory Commission concerning the enhancement of the management mechanisms such as risk assessment and audit,etc., for financial industry information and communication systems suppliers and cross-institutional information services.
Article 2
(Applicability and Parties Governed)
Parties governed by these guidelines include securities firms, futures commission merchants, securities investment trust enterprises and securities investment consulting enterprises and are divided into two types as below:
- Type 1:
- organizations appointing a chief information security officer in accordance with Article 36-2 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets
- tiers 1, 2, and 3 securities firms in the Establishing Information Security Inspection Mechanisms for Securities Firms – Schedule for Required Measures under Tiered Protection
- tiers 1, 2, and 3 futures commission merchants in the Establishing Information Security Inspection Mechanisms for Futures Commission Merchants – Schedule for Required Measures under Tiered Protection
- Type 2:
non-type 1 organizations
- If the data security management policy of a Taiwan subsidiary or branch of a foreign group is controlled and established by the foreign parent company or head office, it should follow the relevant control measures established or set up by the parent company or head office prevail if they provide for better regulation; if no such measures are in place, the policy shall be in accordance with the Taiwan laws and regulations.
- The reference guidelines below address matters to be observed by types 1 and 2 organizations unless otherwise specially remarked.
Article 3
(Definitions)
- Information technology outsourcing:
A situation where an organization outsources information and communication services in whole or in part to software and hardware suppliers, maintenance and operation contractors, and cross-institutional partners outside the organization.
- Information asset:
An asset pertaining to the processing of information, including hardware, software, data, documents, and personnel, etc., such as information of the operating system, applications, and other software of a server or a user’s computer.
- Information and communication system:
A system used for collecting, controlling, transmitting, storing, circulating, deleting information or otherwise processing, using, and sharing information.
- Information and communication service:
A service relating to the collection, control, transmission, storage, circulation, erasure, or other processing, use, or sharing of information.
- Cloud computing service:
A flexible, scalable, and self-operatable service available to users for the purpose of sharing computing resources through network technology.
- Trade secret:
A method, technology, manufacturing process, prescription, program, design, or other information that can be used in production, sale, or operation, meeting the following requirements:
- information not known to people whom such type informationcommonly involves
- information of an actual or potential economic value on account of its secrecy
- information for which everyone has taken reasonable measures of confidentiality
- Access:
Various ways of accessing information assets, including acquisition, use, safekeeping, inquiry, revision, adjustment, destruction, etc.
- Project officer:
The project manager, head of the department in charge of the particular business, or person designated thereby.
- Security by design:
The process of incorporating the concept of information and communication security into a service or product during its inception. Security requirements are listed, security risks identified, and control measures implemented during the design stage of the development process, as the basis for the verification of security functions to ensure a secure life cycle of the software.
- Privacy by design:
The process of incorporating the concept of privacy protection into a service or product during its inception. Privacy protection requirements are listed, relevant risks identified, and control measures implemented during the design stage of the development process, as the basis for the verification of security functions.
- Information and communication security event
An event where a system, service, or network is found upon evaluation to show signs of a possible breach of the information and communication security policy or failure of a protective measure, which impacts the operation of the information and communication system, constituting a threat against the information and communication security policy.
Chapter 2 Selection of Information Service Suppliers
Article 4
(Screening of Information Service Suppliers)
- An organization shall assess the operational capability of an information service supplier, adopt appropriate risk control measures, ensure outsourcing quality, and pay attention to appropriatelydiversifyinformation service suppliersto control operational risk. If there are doubts about overconcentration (including reliance on a single information service supplierby the organization or the market as a whole), the risk assessment shall be conducted in the selection of information service suppliers, and the results of the assessment shall be reported to the rank of general manager for approval.
- The standards for the selection of information service suppliers by an organization shall comprise the following and be documented and recorded for reference:
- Financial capability, management capability, professionalism, maintenance and operation capability, and track records of the information service supplier.
- A cloud computing service supplier shall have in place sound cloud computing information and communication security measures (provide a description of the measures and their implementation) or be third party-certified (e.g., CSA STAR, ISO 27017, ISO 27018).
- An information service supplier of a type 1 organization shall have in place sound information and communication security measures (provide a description of the measures and their implementation) or be third party-certified (e.g., ISO 27001).
Article 5
(Preparation and Execution of a Nondisclosure Agreement)
Should information assets be exchanged in the course of selection of information service suppliers, an organization shall prepare a nondisclosure agreement properly and execute it before the exchange of classified information pertaining to the product or service being procured.
Article 6
(Request for Proposals)
In the event of a large procurement specified by a type 1 organization, the organization shall request an information service supplier to present a proposal and ascertain whether the content of the proposal meet the requirements of the procurement or not. The proposal shall incorporate the following:
- the product/service to be procured by the organization
- the organization’s information security requirements with which the information service supplier shall comply, e.g., the organization’s information security policy
- the information service supplier’s project management capability
Chapter 3 Management of Information Service Suppliers
Article 7
Safety Control of Information Service Supplier Agreements
- After an organization selects an information service supplier, the parties shall agree on and confirm the content of the agreement. The agreement shall incorporate the following:
- Basic contractual requirements
- term of the agreement
- scope of service
- delivery date of the service
- service standard
- provisions on the change of service
- standards for acceptance testing of the service
- procedures for handling an information and communication security event, including the requirement that the engaged contractor take the initiative to notify the principal promptly should such event occur
- clauses giving the organization rights to audit the information service supplier, including, within the scope of outsourcing,the information service supplier consents that a competent authority or the Central Bank may obtain relevant data or reports and conduct financial examinations or may order it to provide related data or reports within the prescribed time limit
- provisions on the assignment of the agreement or consent to subcontracting
- confidentiality clause
- penal provisions and damages clause
- dispute resolution procedures
- breach of contract clause
- provisions on termination, including material grounds for termination and clauses entitling a competent authority to give notice of termination or rescission in accordance with the contract
- consequences of termination
- warranty
- rights and responsibilities
- Requirements for the information service supplier’s products and services
- An organization shall specify expressly the intellectual property rights in the IT-outsourced service or product.
- An organization shall specify expressly whether subcontracting of the IT-outsourced service or product to other suppliers is permitted. If it is permitted, the information service supplier shall provide the subcontracting plan and obtain the organization’s approval before proceeding with the subcontracting.
- A type 1 organization shall specify expressly the requirement that security by design be incorporated into the service or product being procured during its inception. The security by design mechanism shall include, in respect of the service and product, the protection of classified information, authorization and authentication, security update, etc.
- A type 1 organization shall specify expressly the requirement that privacy by design be incorporated into the service or product being procured during its inception.
- Where the scope of service involves the development, maintenance, and monitoring of the information and communication system, an organization shall expressly require the information service supplier to comply with the Reference Guidelines on the Protection of the Information and Communication Systems of Service Enterprises in Securities and Futures Markets.
- Where the scope of service involves the use of the cloud computing service, an organization shall expressly require the information service supplier to comply with the Securities and Futures Market Related Association Emerging Technology Information Security Control Guidelines.
- Requirements for information security of the information service supplier
- An organization shall specify expressly the information security requirements, Personal Data Protection Act, other applicable laws and regulations, and confidentiality obligations with which the information service supplier shall comply.
- An organization shall specify expressly its role and responsibilities and those of the information service supplier in regard to information security within the scope of IT outsourcing.
- An organization shall specify expressly that the information service supplier shall provide certification of security testing such as mobile application security checks, source code analyses, vulnerability scans, etc. and shall ensure the system or program delivered is free of malicious programs and backdoors. Programs installed on the Internet shall pass code scanning or black box testing.
- An organization shall specify expressly that the information service supplier be required to present certification of the sources and licences of the components of third-party programs.
- An organization shall specify expressly that information on the scope of service outsourced by the organization as processed by the information service supplier be made available within the time limit prescribed by the organization.
- An organization shall specify expressly the procedures for an information service supplier to handle a change of service or information and communication security event.
- A type 1 organization shall specify expressly that, to the extent of IT outsourcing, information of the organization be clearly separated from data of an information service supplier and data of other organizations that are processed by an information service supplier and shall encrypt said information for protection.
- A type 1 organization shall specify expressly the permits and licenses concerning information security and quality that shall be obtained by an information service supplier.
- An organization shall ascertain the extent of completion of confidentiality undertakings by an information service supplier during the execution of the contract.
Article 8
(Information Service Supplier Access Management)
- For the purpose of protecting its information assets, an organization’s project officer shall advise an information service supplier of the organization’s regulations pertaining to information security and make an application in accordance with the authorization application procedure of the organization before he or she may authorize the information service supplier access to the organization’s information assets.
- An organization shall control and manage the right of access and use by an information service supplier’s personnel and computers and reclaim such right immediately after the outsourcing period ends.
Article 9
(Identification of Access Risk of an Information Service Supplier)
The project officer shall conduct a risk assessment taking the following into consideration where it is necessary for an information service supplier to access the information assets and trade secrets of an organization:
- Laws and regulations or competent authority regulations shall be complied with. Security control shall be designed in accordance with the principleofleastprivilege and minimum disclosure necessary for the outsourcing.
- Control measures for the acquisition, use, safekeeping, inquiry, revision, adjustment, and destruction of an organization’s information assets and trade secrets shall be taken into account in their control and management.
- An information service supplier’s responsibility for protection:
- An organization shall require that the access control measures of an information service supplier not be inferior to the terms of the agreement with the organization and Article 7, paragraphs 1 and 2 of the Trade Secrets Act.
- An organizationshall require an information service supplier to warrant that use of the information asset or trade secret concerned is limited to the scope of application.
Article 10
(Security Management)
An organization shall pay attention to the following in the course of a project:
- Where an information service supplier overspecializes, a register shall be compiled to facilitate management, and its information security event identification, response, and risk mitigation mechanisms shall be ascertained.
- A foreign investment organization shall comply with the following if it outsources information to the head office or an overseas subsidiary for offshore processing for the purposes of internal division of work (Outsourcer Institution):
- The organization shall fully understand and maintain access to the status of collection, processing, use, international transmission, and control of client information by the Outsourcer Institution.
- Client information made available by the organization to the Outsourcer Institution shall be limited to necessary information that directly pertains to the outsourced matter.
- The organization shall require the Outsourcer Institution to comply with the following:
- The organization’s client information shall be used and processed only by authorized personnel of the Outsourcer Institution within the scope of the outsourced matter.
- The organization’s client information shall be clearly separated from the data of the Outsourcer Institution and data of other institutions processed by the Outsourcer Institution.
- Client information of the organization as processed by the Outsourcer Institution shall be made available to the organization promptly.
- In the event of the international transmission of classified data, the organization shall develop an encrypted transmission mechanism, confirm the compliance of the Outsourcer Institution’s collection, processing, use, international transmission, and control of client information with the applicable provisions of Taiwan’s Personal Data Protection Act, obtain authorization from the subject prior to transmission, not violate any restriction of a competent authority on international transmission, and keep complete audit records.
- The organization shall manage and periodically examine (at least biannually) the field operation and authorization of physical access and logic access of the information service supplier, including the operational site’s configurations, network equipment and host connection, computer and telephone use, access to and from the computer room, temporary pass application, etc.
- The organization shall include in its security management personnel of information service suppliers stationed within the organization. Security control measures shall be in place if use of intranet resources is contemplated (e.g., in the event of adaptation or a separate network, physical separation shall be made with the intranet).
- An organization shall request the information service supplier for a list of stationed personnel.
Article 11
(Management of Change of Service)
If information security is impacted by a change of a service rendered by an information service supplier, the project officer of the organization shall conduct a risk assessment, e.g., impact analysis of confidentiality, integrity, and availability, ISO 27001 risk assessment, with regard to the service changed.
Article 12
(Review of Services of an Information Service Supplier)
- An organization or a third party authorized thereby may audit an information service supplier periodically (at least once a year), and when the organization deems monitoring and audit necessary, during the IT outsourcing period.
- If an organization outsources, e.g., a software and hardware maintenance agreement, system management, etc., for a year or more, the information service supplier shall provide periodic service standard reports for review and reference in accordance with the requirements of the agreement.
Chapter 4 Project Termination and Rescission with an Information Service Supplier
Article 13
(Termination, Rescission, or End of a Project)
- After a project is terminated, rescinded, or ends, an organization shall immediately suspend the authorization physical access and logical access grantedto an information service supplier, and reclaim, or request the information service supplier to destroy, the organization’s information assets and trade secrets; where necessary, the organization may request the information service supplier to prove such destruction.
- An organization shall define the requirements for service continuity following the termination of IT outsourcing, including the following:
- information security requirements with which the initial information service supplier and the organization shall comply, if it is decided the product or service is to be transferred by the initial information service supplier back to the organization or to another information service supplier
- the organization’s information assets which are used in the IT outsourcing project, to facilitate their return to the organizationin an intact form, or ensure their destruction or transfer to another information service supplier,upon termination of the project
- the procedure for the above return, transfer, or destruction, and supporting documents to be presented where necessary
- the survival of the confidentiality undertakings after the IT outsourcing is terminated
- time limit for the completion of the termination procedure
Chapter 5 References
Article 14
- Executive Yuan (June 2018), Cyber Security Management Act, https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=A0030297
- Executive Yuan (January 2020), Trade Secrets Act, https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=J0080028
- National Center for Cyber Security Technology, Executive Yuan (August 2021), Reference Guidelines on Information Security in Government Information Outsourcing, https://www.nccst.nat.gov.tw/CommonSpecification?lang=zh
- Securities and Futures Bureau, Financial Supervisory Commission (September 2021), Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets, https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=G0400048
- Banking Bureau, Financial Supervision Commission (September 2019), Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation, https://law.moj.gov.tw/LawClass/LawAll.aspx?pcode=G0380200
- Taiwan Stock Exchange Corporation (November 2021), Standards and Regulations Governing Internal Control Systems of Securities Firms, https://dsp.twse.com.tw/brokerFileDownload/list
- Taiwan Futures Exchange Corporation (July 2021), Standards and Regulations Governing Internal Control Systems of Futures Commission Merchants,https://www.taifex.com.tw/cht/8/fcmInnerControl
- Taiwan Stock Exchange Corporation (July 2021), Establishing Information Security Inspection Mechanisms for Securities Firms, http://www.selaw.com.tw/LawArticle.aspx?LawID=G0100479&ModifyDate=1100720
- Taiwan Futures Exchange Corporation (December 2021), Establishing Information Security Inspection Mechanisms for Futures Commission Merchants, http://www.selaw.com.tw/LawContent.aspx?LawID=G0101501
- Taiwan Securities Association (May 2021), Taiwan Securities Association Self-Regulations of the Information Security of Emerging Technology, http://www.selaw.com.tw/LawArticle.aspx?LawID=G0103907
- Taiwan Securities Association (May 2006), Reference Guidelines on the Directions Governing Securities Firm Information Outsourcing Contracts, https://www.rootlaw.com.tw/LawArticle.aspx?LawID=A040390050031400-0950421