Title:Directions on Information and Communication Security Management and Control of New Technologies for Associations of Securities and Futures Market(2022.05.11)
Categories:
Information Operations


Chapter I – General Rules

Article 1
    (Purpose)
    These directions on information and communication security management and control relating to the issues of risks of new technologies are established to assist securities and futures enterprises in securely and effectively managing and applying new technologies.

Chapter II – Secured Operation of Cloud Computing Services

Article 2
    (Definition of cloud computing services)
    Subject to shared use of computing resources enabled by online technologies, to provide users with flexible, extendable and self-service services, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
  1. Infrastructure as a Service or IaaS: A cloud service provider provides information technology infrastructure to cloud service users via the Internet.
  2. Platform as a Service or PaaS: A cloud service provider provides platform tools to cloud service users.
  3. Software as a Service or SaaS: A cloud service provider provides application services to cloud service users via the Internet.
Article 3
    (Scope of application for directions on cloud computing services)
  1. To ensure security of the cloud computing services used by an organization, the organization shall perform prior evaluations of the risks in use of cloud computing services. When the cloud services involve the core system, data or services, the suggestions on management and control under these directions should be complied with.
  2. The cloud services for purposes of these directions do not include the private cloud built within the organization for providing only services internally.
Article 4
    (Selection of cloud service providers)
  1. A cloud service user shall perform prior evaluations of service quality of a cloud service provider (including information and communication security protection) and other risks, and take appropriate risk management and control measures. In the event of a deficiency in meeting the needs, other compensatory measures should be considered.
  2. A cloud service user shall evaluate whether a cloud service provider has established the cloud service backup system, and it is advised to specify in the contract the requirements on the recovery time of cloud services.
  3. A cloud service user shall maintain the full ownership of the data processed by the cloud service provider. A cloud service provider shall make sure not to be authorized to access client information, except for performance of requested services, and not to use this information for any purpose beyond the scope of request.
  4. A cloud service user shall implement regular reviews on the cloud service provider with regard to the outsourced cloud services. If a cloud service provider has received a bronze award or a higher award from Cloud Service Alliance in the STAR program (CSA-STAR), an attestation report may be requested or an on-site inspection may be conducted where necessary.
Article 5
    (Cloud interoperability and portability)
  1. A cloud service provider shall meet the cloud user’s needs for interoperability and portability of applications and information processing, and should provide relevant informational documents for the user’s reference.
  2. A cloud service provider is advised to use the virtualized platform, virtual machine file format, and data and file format commonly seen in the industry to ensure interoperability.
  3. A cloud service provider shall adopt the standardized Internet protocol based on the cloud user’s needs. For transmission of sensitive information, it is advisable to adopt the encryption Internet protocol such as Hypertext Transfer Protocol Secure (HTTPS) and Secret File Transfer Protocol(SFTP).
  4. If the cloud services provided by a cloud service provider involve accessing via application interfaces, it is advisable to use an open or public application programming interface (API) to ensure better portability of application components.
Article 6
    (Cloud supply chain management)
  1. A cloud service user that transmits and stores client data at a cloud service provider shall take effective protection measures by encrypting or codifying client data, andshall establish an adequate and suitable encryption key management system.
  2. A cloud service provider shallmaintain its service quality based on the service quality agreement entered with the cloud service user, and shall periodically provide the reports and operating records showing the service quality indexes under the agreement (e.g. system revision history, records of accessing the operating system images, etc.).
  3. A cloud service provider is responsible to monitor risks and errors of other partners in the cloud service supply chain that may potentially affect service quality.
  4. A cloud service provider shall promptly notify the affected cloud service users and its partners in the supply chain in the event of an information and communication security incident to the operation of the cloud services, and regularly update the information on the status of the incident.
Article 7
    (Security of cloud infrastructure and virtualization applicable to the IaaS and PaaS services)
  1. A cloud service provider shall ensure the integrity of the images of a virtual machine. Important revisions to images, such as changing the memory size of the virtual machine, and changing the disk capacity of the virtual machine, should be recorded and provided to the client for review of how these changes are recorded.
  2. When a cloud service provider is replacing its equipment for maintenance (such as replacement of disk drives), all data containing the information about the organization shall be deleted or destroyed. Destruction should be performed by demagnetization, destruction, smashing or other appropriate method depending on the nature of its storage media, and the records for the deletion or destruction should be kept.
  3. A cloud service provider shall provide the information about isolation of virtual machines depending on the cloud service user’s needs, and should immediately notify the cloud service user when the isolation fails.
  4. A cloud service provider shall implement appropriate security control and management measures for the cloud operating system, including hypervisor and guest operation systems, such as availability of only necessary port, protocols and services, virus protection, security breach evaluation system, and monitoring of file integrity.
  5. The authority of the cloud service operators should be managed based on the minimization principle, with appropriate security control and management measures, such as communication management through two-factor authentication, audit trails, IP filtering, firewall, and Transport Layer Security (TLS) packet.
  6. When providing IaaS (Infrastructure as a Service), a could service provider shall encrypt the virtual disk drives containing sensitive information based on the cloud service user’s needs and prohibit snapshots and unauthorized accessing.
Article 8
    (Cross-border transmission of personal data on cloud service)
    For cloud services involving cross-border transmission of personal data, an organization shall have the encryption transmission system in place, and make sure to comply with the Personal Data Protection Act of the Republic of China for a cloud service provider’s collection, processing, use, international transmission and control and management of personal data. The data subject’s authorization should be obtained prior to transmission and no transmission may violate the competent authority’s restrictions on international transmission. The full audit records should be kept.
Article 9
    (Management of interruption and termination of cloud services)
  1. A cloud service user shall establish an appropriate emergency response plan to reduce the risks of interruption of services in cloud operation.
  2. When terminating or ending a contract of operation, a cloud service user shall ensure the services can be successfully transferred to another cloud service provider or migrated back to the user for self-operation.
  3. After termination of services, a cloud service provider shall delete or destroy all archived data (such as images of a virtual machine, storage space, cache space, backup media, client information or sensitive information) and shall provide the proof of a full deletion of data.

Chapter III – Security Control of Social Media

Article 10
    (Definition of social media)
    An online application combining technologies, social interactions and content creation, allowing creation or exchanges of contents generated by its users. On this highly interactive platform, individual users or groups of individual users can share, co-create, discuss and change the content generated by the users.
Article 11
    (Scope of application of directions on social media)
    For purpose of these directions, the social media do not include the social media or platform used for internal communications within an organization.
Article 12
    (Social media use policy)
  1. An organization shall prepare the social media use policy that should be reviewed at least once a year to govern its employees’ use of social media, covering:
    1. defining what social media and functions may be used, and the rules of use;
    2. defining what business related information may be shared on the social media;
    3. defining the distinction between social media for personal use and for business use, and important information; and
    4. defining what a specific role is authorized to speak on social media, and avoiding unauthorized statements about business affairs.
  2. An organization shall assess the degree of risks in the social media employees are allowed to use based on the types of social media, including, unauthorized data disclosure, social engineering, attacks by malware, and take adequate security control and management measures against high risks, such as educational trainings or promotion of awareness, content filtering and monitoring, and preventive measures including detection of malware.
Article 13
    (Official social media profile operated by organization)
  1. An organization shall understand the privacy policy of the social media operator before launching its official profile, and regularly examine changes in its privacy policy and evaluate its risks.
  2. When an organization provides a link on its official website that will take a user to the social media pages outside the organization, there should be a prompt window informing the user that by clicking the link they will be taken to a website not owned by the organization.
  3. The social media profile operated by the organization shall identify the organization’s name, contact method and license number so that visitors will know it is an official social media profile operated by the organization.
  4. When operating the social medial profile, an organization shall create the account access control system, and establish the screening and monitoring policy on the published contents. Its monitoring should at least cover efforts to prevent disclosure of client’s privacy and the organization’s secrets, posts published by unauthorized user or fake profile owner, and prevent attacks or disparaging remarks against other enterprises in the same trade.
Article 14
    (Establish irregularity reporting and complaint processing method)
  1. An organization shall establish the social media irregularity reporting procedures. The management body of its official social media profile is advised to monitor the discussions on the social media profile on a random basis, and make necessary reporting or take necessary measures in the event of improper comments or irregularities.
  2. The social media profile operated by an organization shall identify the contact method for clients to file a complaint and the liaison who handles complaints.

Chapter IV –Security Control and Management of Mobile Devices

Article 15
    (Definition of mobile devices)
  1. Mobile device: A portable device with the functions of computing, processing and storing data, and online connection, including but not limited to smart phones, laptop computers, tablets and PDAs.
  2. Bring Your Own Device (BYOD): A non-organizational portable mobile device used for handling organizational affairs that directly connects to the organization’s network equipment or services, with the functions of computing, processing and storing data, and online connection.
Article 16
    (Scope of application of directions on mobile devices)
    For purposes of these directions, a mobile device is limited to a mobile device used for handling sensitive affairs defined within the organization that can directly connect to the organization’s network equipment and services.
Article 17
    (Control and management of mobile device and equipment for business use)
  1. An organization shall establish the regulations for application for, use, renewal, return and loss of a mobile device.
  2. When there is a change in the staff of the organization, a mobile device should be reset or the settings should be cleared to ensure the mobile device has a secure environment.
  3. An organization shall conduct risk assessments on mobile devices and resources accessible to the mobile devices, and implement appropriate security control and management measures based on the results of the risk assessments, such as screen lock, restrictions on accessing sensitive information, installation of antivirus software programs, installation of mobile device management software, etc.
  4. An organization is advised to take the following security control and management measures on mobile devices storing sensitive information:
    1. It is advisable a mobile device has an identity verificationmechanism.
    2. It is advisable to allow an authorized party to change the settings of theenvironment of the operating system of a mobile device.
    3. It is advisable to conduct regular examinations of the operating system and antivirus software programs of the mobile device and to prevent the owner from making unauthorized changes to the settings, such as jailbreaking or rooting.
    4. It is advisable for a mobile device to have a method for data deletion when the device is lost, e.g. deleting data remotely, or automatic deletion of data after a certain number of failed identification verifications have taken place.
    5. It is advisable a mobile device imposes restrictions on or turns off unnecessary wireless connection, such as NFC, infrared, Wi-Fi or Bluetooth.
    6. It is advisable a mobile device adopts an encryption or data redaction method for protection of transmission of sensitive information.
    7. It is advisable a mobile device prevents storing of sensitive information on the mobile device, or encrypts sensitive information for protection.
  5. A mobile device used to handle an organization’s business should avoid installation of an unofficial mobile application or should install only the installable mobile applications that have passed testing as listed by the organization.
Article 18
    (Management of BYOD)
  1. Anorganization shall periodically review and restrict the purpose and period of use of the BYOD and type of data used on the BYOD.
  2. An organization shall sign the agreement of use of Bring Your Own Device (BYOD) with the owner of the BYOD, including the terms and conditions on use restrictions and the liabilities of the parties etc.
  3. An organization is advised to prohibit unauthorized connections of the BYOD to the Internet via its internal information and communication equipment.
Article 19
    (Security control and management of a mobile app)
  1. An organization shall take appropriate measures to deidentify information when sending sensitive information to a user via text message or other messaging method via its mobile app.
  2. An organization shall create the detection system to identify fake mobile apps to protect the rights and interests of its clients.
  3. When activating a mobile app, an organization shall alert users of its app of potential risks if it detects the user's mobile device may be compromised (such as rooting, jailbreaking and USB debugging).
Article 20
    (Control and management of release of a mobile app)
  1. Before releasing its mobile app, an organization shallexamine to make sure the authorization required for the mobile app is adequate for the services to be provided. First release or changes to authorization should be approved by the information security and compliance departments and records should be kept to help a comprehensive evaluation to determine whether the notification obligations under the Personal Data Protection Act have been performed.
  2. An organization shall release its mobile app on a reliable app store or website and shall at the same time of the release provide information about what sensitive information may be accessed, resources of mobile device and declared authorization and use.
  3. For a mobile app to be used by investors, an organization shall, prior to the first release and on a yearly basis, appoint a qualified third-party testing laboratory certified by Taiwan Accreditation Foundation (TAF) to conduct and complete the information security testing with a satisfied test result. The test should be performed in consistent with the basic mobile app information security tests published by the implementing organization Mobile Application Security Alliance, appointed by the Industrial Development Bureau, Ministry of Economic Affairs.
  4. When updates on the released app are necessary within one year after the laboratory test, the organization shall perform the test or appoint a third party to perform the test on important updates prior to every release. Important updates are changes to the functions relating to “placing orders”, “accessing account information”, “identity verification” and “changes relating to client’s important rights and interest”. The tests should be based on OWASP MOBILE TOP 10 and the relating test records should be kept.
  5. The organization shall establish the review system based on the basic mobile app information security testspublished by the implementing organization Mobile Application Security Alliance, appointed by the Industrial Development Bureau, Ministry of Economic Affairs, for the test reports delivered by the third-party laboratory to ensure the tests have been conducted in accordance with the requirements, and the review records should be kept.

Chapter V –Security Control and Management of the Internet of Things (IoT) Equipment

Article 21
    (Definition of IoT equipment)
    Imbedded system and equipment that connects to the Internet and its peripheral connecting devices (e.g. sensors).
Article 22
    (Scope of application for directions on IoT equipment)
    For purpose of these directions, an IoT refers to automated office (OA) equipment that connects to the Internet and can connect to the external or internal network, such as digital recorder, IP-PBX (Private Branch eXchange), fax machine, audio recorder, copy machine, and surveillance system.
Article 23
    (Equipment inventory and evaluation)
    An organization shall prepare the management list of the IoT equipment that should be updated at least once a year for identification of purpose of equipment, online setups, storage location and managers, and evaluate appropriate physical environment control and management measures and access/authorization control.
Article 24
    (Equipment and software control and management)
    The IoT equipment installed by an organization shall have a security updating system and updates should be made regularly to maintain the functions and integrity of the equipment.
Article 25
    (Control and management of access to equipment)
    The IoT equipment installed by an organization shall have an identity verification system or pairing and bondingsystem, and requires a change to the initial password. Authorization of users should be granted on a minimal basis to ensure only authorized users may access data, manage the equipment and have security updates.
Article 26
    (Control and management of equipment connection)
    An organization shall turn off or disable unnecessary online connection and services of the IoT equipment and avoid uses of an Internet location open to the public. If the equipment is using a public Internet location, a firewall at the front of the equipment should be in place for protection, and accesses should be filtered based on a white list. If the equipment connects to the Internet via a wireless network, a wireless access point with the encryption protocol should be used for the Internet connection, and only the network interface cards with their number on the white list may access the equipment or other protection measures should be taken.
Article 27
    (Control and management of equipment purchases)
    Before purchasing the IoT equipment, an organization shall perform evaluations and tests in accordance with Articles 24 and 26. It is preferable to purchase the IoT equipment with the information security certification mark.
Article 28
    (Supplier management)
    If an organization signs a purchase agreement with the IoT equipment supplier, the agreement should include terms and conditions on information and communication security, stating the relevant responsibilities (e.g. undertakings of services, period for security updates, voluntary reporting known information security loopholes in the equipment and providing relevant action plans) to ensure the equipment has no known security loopholes.
Article 29
    (Control and management of awareness of IoT)
    An organization shall regularly provide information security trainings to the staff who are using and managing the IoT equipment.
Article 30
    (Control and management of exceptions)
    When becoming aware that the IoT equipment has known defects that cannot be corrected via update, or the requirements under Articles 24 to 25 cannot be met due to limitations on equipment functions, an organization shall disconnect the connection of the equipment to the Internet, or have the equipment connected to the Internet only when necessary and make a plan to obsolete and replace the equipment. Prior to the replacement, the equipment should be placed at an independent network segment and separated from the Intranet.
Article 31
    (Control and management of sensors without management functions)
    While sensors of the IoT equipment without management functions have simpler functions and involve less risks, an organization shall still follow the requirements under Articles 23, 26, 27, 28. 29 and 30 of thesedirections.

Chapter VI – Security Control and Management of Identity verification for Electronic Trading

Article 32
    (Definition of identity verification for electronic trading)
    Verification of information about a user’s identification prior to electronic consigned trading agreed to by an organization.
Article 33
    (Electronic trading)
    Electronic trading refers to the electronic consigned trading by a client under Article 75 of the Operating Rules Of the Taiwan Stock Exchange Corporation, Article 48 of the Operating Rules of the Taiwan Futures Exchange Corporation, Article 2 of the Operating Guidelines for Electronic Trading by Domestic Securities Investment Trust Funds of the Securities Investment Trust and Consulting Association of R.O.C., and Article 2 of the Operating Guidelines for Electronic Trading by Offshore Funds of the Securities Investment Trust and Consulting Association of R.O.C.
Article 34
    (Scope of application for directions on identity verification for electronic trading)
    The identity verification for electronic trading as defined under these directions applies only to the systems processing trading via the Internet, not including services enabled by telephone calls, Direct Market Access (DMA), or Co-Location.
Article 35
    (Information protection measures for electronic trading)
    Information protection measures should have the security designs that ensure confidentiality, integrity, authentication, and non-duplication, and should satisfy with the following requirements:
  1. Confidentiality: Information should be encrypted using the algorithm with a security level at or above AES 128bits, RSA2048bits or ECC 256bits. The communication protocol at or above TLS 1.2 should be adopted, and key exchanges should be made via Elliptic Curve Diffie-Hellman Exchange.
  2. Integrity: Information should have a message authorization code (MAC) or be encrypted using the algorithm with a security level at or above SHA 256bits, AES 128bits, RSA 2048bits or ECC 256bits.
  3. Authentication: Information should have a message authorization code (MAC), be encrypted or contain a digital signature using the algorithm with a security level at or above SHA 256 bits, AES 128bits, RSA 2048bits or ECC 256bits.
  4. Non-duplication:Information shall be generated by using methods such as serial number, one-time random number, and time stamp.
  5. Non-repudiation: Information should have a message authorization code (MAC)using the algorithm with a security level at or aboveSHA256, and contain a digital signature using the algorithm with a security level at or above RSA 2048bits or ECC 256bits.
Article 36
    (Management of identity verificationmethod for electronic trading)
  1. Except for the methods otherwise provided under the Guidelines for Security Control and Management of Use of Fast Identity Verification Methods by Financial Institutions, when an organization allows log-in for electronic trading, its security design should implement any two or more of the following three technologies:
    1. Information agreed with the organization not known to a third party (e.g. PIN, pattern lock or gesture lock).
    2. The organization shall verity the physical device (e.g. password generator, PIN card, chip card, computer, mobile device, certification carrier) held by the client is the device agreed to by the client and the organization.
    3. The organization shall directly or indirectly verify the biometrics (e.g. fingerprints, face, iris, voice, palm prints, vein, signature) owned and provided by the client to the organization. Indirect verification means authentication by the device at the client (e.g. mobile device) or verification by an appointed third party, in which case the organization accesses only the results of verification and may add an authentication where necessary. In the case of indirect verification, the organization shall first review the validity of the client’s identity verification method.
  2. Where an organization uses PIN as the verification method, the organization shall apply irreversible computing (such as hash function) prior to storing the PIN. Further, to prevent guessing of a PIN by using pre-generated hash values, information should be encrypted or added with unknown data in the computing.
  3. When an organization directly verifies biometrics and stores the biometric data in its internal system, it should deidentify the original biometric data, makedata difficult to be reversed, store the data by encrypting the original biometric data and alia ID, and store different parts of the biometric data separately on different storage media (e.g. databases). When data is stored at a terminal equipment provided by the organization, the equipment should meet the FIPS 140-2 Level 3 standards or higher standards.
  4. When directly verifying the biometric data, an organization shall adjust the tolerance of errors in biometrics based on its risk capacityin order toeffectively identify the client. In the case of indirect verification, it should first review the validity of the client’s identity verification method.
  5. When using the certificate as the verification method, an organization shall accept only the certificates issued by a certification agency approved by the Ministry of Economic Affairs, and strengthen the verification for issue of certificates to ensure only the client him/herself may log in the system.
Article 37
    (Control and management of identity verification of electronic trading)
  1. An organization shall establish regulations governing applications, delivery, use, update and verification of identity of electronic trading.
  2. An organization shall encrypt all information relating to identity verification for electronic trading transmitted via the Internet throughout the whole transmission.
  3. An organization shall store information relating to identity verification for electronic trading after information has been hashed or encrypted.
  4. An organization shall verify the identity for electronic trading at its server to avoid the risks of verification being tampered with if it is performed on the client’s device.
  5. An organization shall use enhanced password functionality and conduct control and management, andshall always lock an account after three failed attempts toenter the correct password have taken place.
  6. An organization shall provide a method allowing periodic changes of password to its clients and implement enhanced password functionality (e.g. reminding a client to change his/her password via the method for changing the password when the same password has been in use for more than three months).
  7. An organization shall monitor and analyze the records of failed attempts to log in an account in the core system and attempts to log in a non-client account on a daily basis.
Article 38
    (Audit trail of electronic trading)
  1. An organization shall keep the audit trail (e.g. login accounts, system functions, time, system names, inquiry instructions or results) or identification system of uses of personal information to facilitate tracking of uses of personal information when unauthorized disclosure occurs.
  2. An organization shall notify the account owner of account logins and trading records and keep the relevant records.

Chapter VII –Security Control and Management of Deepfake Prevention

Article 39
    (Definition of deepfake)
    Forms of technologies of computer-generated imagery or other technologies that allow production or dissemination of video recording, motion graphics, audio recording, electronic images, photographs and any verbal words or behaviors showing the behaviors of a real person that have not occurred.
Article 40
    (Control and management of identity verification of telephone trading)
  1. When providing telephone trading services, an organization shall establish the identify verification procedure (e.g. voice password) to prevent unauthorized uses of the services by a person other than the account owner.
  2. When a client is giving the authorization via voice services, the relevant telecommunication service provider should be asked to display the caller’s number so as to record the incoming telephone number.
Article 41
    (Control and management of identity verification for video call)
  1. When verifying identity for a video call, an organization shall implement the one-time password (OTP), make a telephone call by its representative, or verify the identity of the person making the video call against his/her photo ID as part of the enhanced verification.
  2. When using the video services, an organization shall validate the authenticity of a real environment where the video call is taking place (e.g.random questions and answers) to prevent uses of prerecorded video via technologies.
  3. An organization shall keep the video recording or photograph for subsequentverifications.
Article 42
    (Control and management of deepfake prevention)
    An organization shall conduct regular information security trainings every year and the trainings should cover topics such as awareness of deepfake and how to prevent deepfake.
^