S
M
L

Search Result

Title Establishment of an Information and Communications Security Inspection System for Futures Commission Merchants CH
Date 2023.08.25 ( AMENDMENT )

Article Content

1     Risk assessment and management (applicable to futures commission merchants that accept customer orders via the Internet):
  1. All of the company's information assets within the scope applicable to information security risk, and owners of the assets, shall be identified.
  2. The acceptable level of information security risk for each of the company's operations shall be determined.
  3. The company shall prepare written reports on information security risk evaluations. Evaluations shall be carried out at least once per year and relevant records retained.
  4. The core system shall be examined to determine a tolerable time period of disruption.
2     Information security policy:
  1. The company shall adopt an information security policy and set information operations security levels in accordance with the needs of its business and applicable laws and regulations.
  2. The following content shall be included when the information security policy is formulated:
    1. A definition of information security, information security objectives, and the scope of information security.
    2. An explanation and description of information security policy, information security principles and standards, and rules with which employees must comply.
    3. A description of the organizational unit in charge of information security work, its authority and duties, and the internal segregation of duties.
    4. A description of emergency procedures for reporting and handling an information security incident and related rules.
  3. The information security policy adopted by the company shall be approved by its management and formally issued, with the requirement that all employees abide by the policy. Public and private entities that do business with the company online and providers of information services shall also be notified and jointly observe the policy.
  4. The company's information security policy shall be evaluated at least once per year to reflect the latest developments in laws, regulations, bylaws, technology, and business, thereby ensuring the effectiveness of the company's information security operations, and records of the evaluations shall be retained.
  5. Information security policy evaluations shall be conducted in an independent and objective manner, either in-house or outsourced to an outside professional institution.
  6. Each year, the company's chief information security officer or highest officer responsible for information security and its chairman, president, and chief internal auditor shall jointly sign and issue a Statement on Internal Control under Article 24 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets and, within 3 months after the end of the fiscal year, submit it to the board of directors for approval, and furthermore disclose the content of the statement on the reporting website designated by the competent authority.
  7. The company shall take the required measures for tiered protection of information security by referring to the Establishing Information Security Inspection Mechanisms for Futures Commission Merchants – Schedule for Required Measures under Tiered Protection.
  8. The company shall introduce the core system to the information security management system according to its information security level, and this system must be validated by an impartial third party and the validity of validation shall continue to be maintained.
3     Security organization
  1. The company shall, according to relevant requirements, allocate adequate human resources and equipment for the planning and monitoring of the information security system and the implementation of information security management operations. The job responsibilities of the relevant personnel and any other business that they may concurrently handle shall be in compliance with relevant requirements.
  2. The company shall designate a vice president or other high-level executive officer to be in charge of the overall promotion of information security policy and the allocation of resources, and as necessary may also establish an interdepartmental Information Security Task Force. If the company satisfies certain conditions prescribed by the competent authority, it shall designate a person of or above the rank of vice president or with comparable functions to act concurrently as chief information security officer to handle the aforementioned business.
  3. The company shall, in consideration of the need of information security management and its information security level, assign responsibility for planning and implementing information security work to specially appointed dedicated persons or dedicated units, and the information security personnel and officer(s) shall be required to participate on a regular annual basis (once a year) in at least 15 hours of information security professional courses or functional training and to pass evaluations. All other personnel who use the information system shall attend at least 3 hours of information security awareness courses every year.
  4. If the company lacks sufficient personnel, skills, or experience to meet its information security needs, it may retain outside scholars, experts, or professional private-sector organizations or groups to provide information security consulting services.
  5. The authorities and duties of the company's information processing departments shall be clearly segregated from those of its business units.
  6. The company shall require its information security personnel to obtain and maintain information security professional license(s) adequate to its information security level.
4     Categorization and control of assets
  1. Information assets shall be set out in a list, which shall be kept current.
  2. Rules shall be adopted to govern the classification and labeling of information (applicable to futures commission merchants that accept customer orders via the Internet).
  3. The company shall complete classifying of the information system it developed independently or developed by an outsourced provider. The classification standard shall be divided at least into core and non-core systems for the information system. The information system shall be examined at least once a year to determine the appropriateness of its classification.
5     Personnel security
  1. Employees shall be required to maintain confidentiality in accordance with applicable laws and regulations, and shall sign a non-disclosure agreement.
  2. When an employee leaves the company, the employee's ID code shall be canceled, and his or her security pass, door card, and related documents shall be collected.
  3. The company shall regularly (at least annually) give information security lectures for all employees (focusing on such topics as information security policy, information security laws and regulations, information security operating procedures, and the proper use of information technology equipment) and retain records of the lectures.
  4. Employees shall receive information security training that is appropriate for their position within the company; the number of hours of training received each year shall comply with the internal rules adopted by the company.
  5. Futures commission merchants shall appoint up computer auditors. (This is applicable to futures commission merchants that accept customer orders via the Internet, but not applicable to those doing so via telephone or in the traditional manner).
6     Physical and environmental security:
  1. Access to computer server rooms shall be controlled (e.g., by door cards).
  2. Computer server rooms shall have fire prevention equipment, which shall be inspected regularly, and natural disasters such as earthquakes and floods shall also be factors taken into consideration.
  3. Computer equipment shall have an independent power supply system, and the power supply system shall include uninterruptible power supply devices and a power generator.
  4. Procedures for retirement and disposal of equipment shall be established. Prior to retirement and disposal, any confidential or sensitive data and licensed software shall be removed, overwritten for security purposes, or physically destroyed, and it shall be ensured that data that was stored in computer hard drives and in storage media cannot be restored. Records of the retirement and disposal shall be preserved.
  5. The company shall periodically review the security permissions for access to information equipment rooms.
7     Management of Communications and Operations:
  1. Management of network security (applicable to futures commission merchants that accept customer orders via the Internet; additionally, items A, B and E are applicable to all futures commission merchants):
    1. Evaluating the security of network systems:
      1. A company shall regularly evaluate the security of its own network systems (e.g., its operating system, network servers, browsers, firewall, and its anti-virus software version) and retain related records.
      2. Security gaps in the network operating environment and operating system (including servers, portables, personal terminals, and computers provided at business locations for shared used by investors) shall be repaired regularly or as the need arises, and related documentation retained.
      3. Matters with a bearing on computer network security (e.g., promoting awareness of information security policy, prevention of hacker intrusions, and anti-virus measures) shall be internally announced.
      4. A specially appointed employee shall be responsible for computer servers and important software and hardware.
      5. The company shall regularly (at least semiannually) scan its information system for vulnerabilities, and where potential vulnerabilities are identified, it shall evaluate the associated risks or install software patches, and retain a record of its handling of the matter.
      6. The company’s network shall be categorized, according to purpose of use, as DMZ, operating environment, testing environment, and other environment, and there shall be an appropriate division mechanism between these environments (e.g., firewall, virtual local area network, and physical separation).
      7. Personal information and confidential and sensitive information shall be stored in a secured network area, and shall not be stored on the Internet or other non-secured areas.
      8. Only necessary services and programs may be available in the system, and unused services and functions shall be made unavailable.
      9. The company shall establish guidelines for remote connection management, and exercise controls (e.g., connection IP address, secure network connection, and regular access authorization review, etc.) over the use of remote connection via the external network to control the internal operation system within the company, and keep relevant maintenance records to be regularly reviewed by the proper officer.
      10. The company shall prevent use of the internal network from an unauthorized device.
    2. Managing firewall security:
      1. A firewall shall be established.
      2. A specially appointed employee shall be responsible for managing the firewall.
      3. Records of firewall entries and exits and backup copies shall be retained for at least 3 years.
      4. Important website and server systems shall be isolated from the external Internet by firewalls.
      5. Firewall system configuration shall be approved by the appropriate officer in charge.
      6. The company shall regularly examine and maintain the setup of control of access to the firewall on a yearly basis and keep the relevant examination records.
      7. No products that could jeopardize national information security may be used on the equipment directly connecting to the networks used for the company's transactions.
    3. Managing network transmission and connection security:
      1. Trading screens for order placing via the Internet shall be protected by encryption (e.g., SSL).
      2. The company shall monitor and analyze on a daily basis records of login failures in connection with core system accounts and attempts to log in with non-customer accounts etc. If it discovers any account login anomaly (e.g., password entry error reaching three times, a large number of account login failures within a certain period of time, or anomaly in an account certificate application or renewal download), it shall immediately ascertain the cause of the anomaly and retain the relevant records.
      3. When providing online order service, the company shall, upon any login to place an order, implement multi-factor authentication, e.g., order certification, device identifier, OTP, biometric system etc., to ensure that the login is by the customer itself.
    4. Managing CA authentication and certificates:
      1. A futures commission merchant that handles trading orders online shall adopt certificate delivery procedures to prevent certificates from being obtained by persons other than their intended owners. For downloading of certificates applied for or renewed by customers, multi-factor authentication methods must be used (e.g., order certification, device identifier, OTP, biometric system, SIM authentication, etc.) and they must be different from the factors used when logging into the account, so as to scrupulously verify the customer's identity, and records must be kept.
      2. A futures commission merchant that handles trading orders online shall use an authentication system for all orders via the Internet.
    5. Protecting against computer viruses and malicious software:
      1. Anti-virus software shall be installed and its programs and virus patterns given timely updates.
      2. Computer systems and data storage media (including emails) shall be regularly scanned for viruses.
      3. Anti-virus protection shall cover personal terminals (including portables and computers provided at business locations for shared used by traders) and network servers.
      4. Email from unknown sources should absolutely not be opened, and special care shall be used in opening emails with attachments containing executable files.
      5. To prevent computer viruses from spreading and affecting computer security, the company shall adopt security rules governing the use of email and establish an email filter system.
      6. The company shall have online use control measures in place to prevent download of malware.
      7. The company shall detect links that connect to phishing websites and malicious websites and remind customers to be cautious about online phishing.
      8. The company is advised to conduct regular social engineering exercises on a yearly basis, and provide coaching to personnel who have opened an email or clicked a link that they should have refrained from opening or clicking, and keep relevant records.
    6. Inspecting the functions of network systems:
      1. The functions provided by the online order submission system shall be inspected regularly and inspection records shall be kept.
      2. Any network system that provides external connections for use shall be monitored for any changes to the webpage or program, and any such changes shall be recorded and reported to the relevant personnel for handling. (Effective 30 June 2023)
    7. Introduction of cyber-attack prevention system and security tests:
      1. The company shall perform infiltration tests on the core system that provides the Internet services regularly according to its information security level, and make improvements based on the test results.
      2. The company shall conduct regular information and communication security checkups according to its information security level, which shall include inspection of network structure, inspection of malicious cyber activities, inspection of malicious activities at a user's computer, inspection of malicious activities at the server, setup of the directory server, and inspection of setup of the firewall connection.
      3. The company shall establish an information and communication security threat detection management system according to its information security level, which shall include collection of events, analysis of anomalies, detection of attacks, and determination of attack acts.
      4. The company shall establish an invasion detection and prevention system according to its information security level.
      5. The company shall set up web applications firewalls according to its information security level.
      6. The company shall implement advanced prevention measures against continuous threats and attacks according to its information security level.
    8. Quality standards for services for placing orders via the Internet:
      9. When providing services for placing orders via the Internet, the company to maintain the quality of customer services, shall establish quality standards for placing orders via the Internet, which shall include the following key elements: transaction security, transaction stability, and system availability.
    9. Notification of Account Login or Anomaly: (effective 28 February 2023)
      10. It is advisable for the company to give a notification whenever there is a login to a customer account. If any of the following anomalies occurs, the company shall immediately notify the customer and keep records, to avoid logins by any person other than the customer themself.
      1. Password entry error or account lockout.
      2. Application for or renewal of certificate.
      3. Change of basic information.
      4. Login attempt from an anomalous source or behavior, etc.
      5. Password change or renewal application.
    10. Monitoring and alerts of logins from anomalous IP addresses:
      11. The company shall conduct monitoring, analysis, and record-keeping of anomalies and connections from unknown source IPs. For any of the following circumstances, it shall have an alert mechanism in place, and it shall regularly review the mechanism to confirm that it is effectively operating:
      1. Logins by the same source IP to different accounts reaching a certain number of times.
      2. Logins to the same account from different countries within a certain period of time.
      3. Discovery of a login attempt from an anomalous source (e.g., an IP on the blacklist published by the Financial Information Sharing and Analysis Center [F-ISAC] or an overseas IP).
  2. Management of the security of the computer system and operations:
    1. Managing computer equipment:
      1. The company shall enter into a written maintenance agreement with a services provider to establish what items are to be included in computer equipment maintenance work. A maintenance log shall be retained after completion of maintenance and the information systems unit of the company shall appoint a person to inspect the log together with maintenance personnel from the services provider.
      2. When business operations require that personal information be collected, processed by computer, or transmitted and used internationally, the company shall adopt a policy on Segregation of Authority and Duties Between the Company and Software or Hardware Firms Regarding the Maintenance of Confidentiality and Liability for Damages.
    2. Environment configuration and use authorization settings of the computer operating system :
      1. Computer operating system environment configuration and use authorization settings shall be approved by the appropriate officer in charge and implemented by system administrators.
      2. Computer system files shall be backed up completely before and after they are modified
      3. The company shall establish the guidelines for management of accounts with the highest system authorization level, covering both operating system and application system, and the approval of the proper officer is required for use of an account with the highest authorization level, and relevant records shall be retained.
      4. The company shall create and diligently implement the security configuration baseline for personal computers, servers, and network communication devices (e.g., length of a password, and how frequently a password may be changed).
      5. A multi-factor authentication method shall be adopted when any account is used to log into any system via the Internet. (Effective 30 June 2023)
    3. Security management for computer storage media:
      1. Backup copies of important software, related documentation, and inventory lists shall be made and stored in a separate safe location.
      2. If important backup files and software are stored in the same building that houses the computer center, they shall be kept locked in a fireproof room or in a cabinet that is both fireproof and earthquake-proof.
      3. The storage media used for backup materials shall be labeled with the name of the materials and their retention period.
      4. Handling procedures shall be established for media used to store confidential and sensitive information so as to prevent leaking or improper use of the information.
      5. A restoration test mechanism shall be established, to verify the integrity of backups and the adequacy of the storage environment.
    4. Management of computer operation:
      1. Computer operators shall strictly adhere to prescribed operating procedures.
      2. Complete and accurate records shall be provided in an operating log, which shall be inspected and approved daily by the officer in charge. The operator and the officer in charge may not be the same person.
      3. A specially appointed person shall be responsible for inspecting the information in the log of the computer system's master station and for regularly submitting the information to the officer in charge for inspection and approval.
    5. The futures broker shall have a computer system that has adequate capacity and is capable of meeting the needs of its business.
    6. The futures broker shall adopt a mechanism and procedures for regular evaluations (at least once a year) of its computer system's capacity and security measures, to be carried out in-house or outsourced to an outside professional organization. Computer system capacity shall be stress-tested regularly and records of the testing retained.
8     Access control:
  1. The company shall adopt rules governing access control for the information system and notify the employees to abide by the rules in writing, electronically, or by other means.
  2. Authorization management:
    1. There shall be a detailed written description of controls on the access to and use of programs.
    2. When a person's employment status is changed, his or her use authorization shall be promptly updated.
    3. Access to and use of programs and files shall be granted on the basis of authorizations.
    4. Authorizations for computer access and use by outside contracted personnel shall be subject to appropriate control, and the authorizations shall be promptly canceled after the end of the contract period.
    5. Outside contracted personnel who enter the company's premises shall be subject to company security management, and security control measures shall be applied if they wish to use internal network resources (e.g., where contract personnel use a proxy server or establish a separate network, it is advisable that they be substantively isolated from the internal network).
    6. Regular (at least semiannual) examination and reconsideration shall be conducted of the user authorization of users who have not recently used the system (excluding users who are customers).
  3. Password management:
    1. Users making use of the system for the first time may not operate the system until they have changed their initial password.
    2. Passwords shall be generated using public, secure and unbroken algorithms (e.g., irreversible algorithms such as hashing) in a random text string format and stored encrypted.
    3. For a user or customer who forgets his or her password, the company shall impose rigorous identity check procedures (e.g., contacting customer service to verify basic information, OTP, in-person processing, etc.) before the user or customer is allowed to use the system again.
    4. Initial passwords shall be generated randomly and have no connection with the user's or customer's identity.
    5. When a password is input incorrectly three times in a row, the login session shall be terminated and that account shall be locked, and a record shall be kept. When the customer contacts the company to apply for release of the lockout, the company shall scrupulously verify the customer's identity (e.g., by contacting customer service to verify basic information, OTP, in-person processing, etc.) and keep the relevant records before proceeding to unlock the account.
    6. Except for orders placed by voice-keypress, the company shall require the use of strong passwords (at least six characters in length and including letters and numbers or other symbols) and exercise control, and encourage the changing of passwords at least once every three months. If a customer's password has not been changed for more than one year or the changed password is the same as the previous generation, the company shall take appropriate measures. Apart from customers, the passwords of other users of the company shall be changed at least once every three months. (Effective 31 December 2022)
    7. The company's current website, servers, network neighborhood, routers, switches, operating system, databases, and other such software and hardware equipment shall be password-protected. The company shall avoid using default settings (e.g., "administrator," "root," "sa") or simple strings (e.g., "1234") as passwords and shall not fail to set administrator access privileges.
  4. Management of computer audit logs:
    1. Audit logs for important systems (such as server login systems and online order submission systems) shall log such matters as user ID codes, login dates and times, computer identification information, and IP addresses.
    2. A specially appointed person shall be assigned to regularly inspect the computer audit logs of important systems.
    3. A specially appointed person shall be assigned to regularly inspect the computer audit logs of important systems.
    4. In keeping the relevant logs, it shall be ensured that procedures are in place for the collection, protection, and proper management of digital evidence, and the logs shall be kept for at least 3 years.
  5. Management of data input:
    1. The inputting or alteration of high-security or important data may be undertaken only with permission from the appropriate officer in charge.
    2. A log shall be kept of the data that is input or altered and the names and job titles of the persons who perform the inputting or alteration.
    3. Highly confidential important data (e.g., password files) shall be saved in encrypted format.
    4. If the company is a public company, it shall incorporate the Directions for Public Companies Reporting Public Information via the Internet into its internal control system and carry out information reporting in accordance with those Directions.
    5. When company personnel use an electronic certificate IC card, another type of certificate chip card, or other certificate carrier to represent the company in transmitting signatures (e.g., to the Market Observation Post System, the One-Stop Window for Securities Firm Filings, or the Office Document Exchange Center), a specially appointed person shall be responsible for maintaining custody of the certificate carriers and establishing a log book. Procedures governing the use and custody of related account numbers and passwords shall be adopted and implemented.
    6. When a certificate carrier is used to represent the company in transmitting signatures, if the server side is a futures commission merchant application system (e.g., Electronic Reconciliation Statement System), then a computer audit log shall be kept and the retention period for the logged data shall depend on the type of data generated by each individual signature operation.
    7. The personal information of customers and the company's internal personnel shall be properly handled in accordance with the Personal Information Protection Act.
    8. The company shall at regular or irregular intervals audit the management of information defined as personal information by the Personal Information Protection Act.
    9. Any updates, edits, or strike-outs of the aforementioned personal information shall be reported for recordation, and a complete and accurate log shall be maintained showing the content of the updates, edits, or strike-outs, the names of the persons making the changes, and the times at which the changes were made.
  6. Management of data output:
    1. Are reports and statements generated and delivered to the proper units in a timely manner?
    2. Are appropriate control procedures in place for printing out or browsing confidential or sensitive reports and statements?
    3. There shall be an encrypted transmission mechanism (e.g., SSL) for traders querying personal information on the company website.
9     Systems development and maintenance:
  1. The requirements of information security shall be included in the analyses and specifications when an application system is being planned and analyzed.
  2. Are checks performed to confirm the accuracy of data that is input into the system?
  3. Legal software shall be used.
  4. Contracts shall be entered into for outsourced work. The content of contracts entered into for outsourced work shall include an information security agreement and terms and conditions including the right to audit the information security of the outsourced firm.
  5. When a completed program requires maintenance, it must be carried out in accordance with formally approved procedures.
  6. All documents and handbooks shall be properly maintained and controlled.
  7. A specially appointed person shall be responsible for maintaining application systems.
  8. The company shall cooperate in carrying out any necessary industry-wide test of an application system prior to the online offering of new futures or options products or in response to related operational changes in the trading or clearing systems.
  9. Management of changes to application systems:
    1. The files that contain programs, data, and job control commands for formal operations and for test operations shall be stored in separate locations.
    2. When a program is modified its documentation shall be promptly updated.
  10. Source code security regulations (applicable to futures commission merchants that accept customer orders via the Internet):
    1. Malware and other information security gaps shall be avoided in a program.
    2. The Company shall use a comprehensive validation mechanism that is both appropriate and valid to ensure completeness of its programs.
    3. A corresponding updated version of a program shall be made available in the event of an update to the library cited.
    4. A program shall conduct security checks and provide a protection mechanism against injection attacks in respect of character strings entered by users.
    5. If a mobile application developed through outsourcing involves the transmission of sensitive data (such as customer account passwords or transaction data, etc.), the company shall, itself or through outsourcing, inspect and verify the appropriateness of transmission recipients and keep relevant records.
    6. The company shall inspect program source code in accordance with the above security measures and shall meet the requirements of the security measures. The provider of a program shall be requested to comply with the security measures in the preceding five paragraphs (A, B, C, D, E) if no source code of the program is available.
  11. Mobile application security management (applicable to futures commission merchants that accept customer orders via the Internet):
    1. Launch of a mobile application:
      1. A mobile application shall be launched in a mobile application store or on a mobile application website with a reliable source. The sensitive information to be accessed, mobile device resources, and proclaimed permissions and purposes shall be specified upon the launch.
      2. The name, version and download location of a mobile application shall be provided on the company website.
      3. A fake mobile application detection mechanism shall be in place to protect customers’ rights and interests.
      4. Conformance of permissions required for a mobile application to services offered shall be ascertained before launch. The initial launch or a change of permissions is subject to consent of the information security unit or personnel and the legal compliance unit and shall be documented, to facilitate general assessment as to whether the duty to notify under the Personal Data Protection Act is satisfied.
    2. Protection of sensitive information:
      1. When a mobile application transmits and stores sensitive data, a valid certificate, hash, or encryption mechanism shall be in place to ensure safe transmission and storage, and the data shall be appropriately de-identified when in use. Relevant access logs shall be protected to prevent unauthorized access.
      2. A risk alert shall be issued to users if a detection mobile device is suspectedly cracked (such as by rooting, jailbreaking, USB debugging, etc.) upon activation of a mobile application.
    3. Mobile application testing:
      1. In respect of mobile applications used by traders, information security testing shall be conducted by a third-party testing laboratory accredited by the Taiwan Accreditation Foundation (TAF), and shall be passed, before initial launch and each year. Such testing shall cover the items listed in the guidelines for vetting the security of mobile applications published by the Mobile Application Security Alliance, the testing unit commissioned by the Industrial Development Bureau, Ministry of Economic Affairs. If it is necessary to update the launch within a year after laboratory testing is passed, material updates are subject to outsourced or self testing prior to each launch. Material updates refer to functional changes to "trading order placement," "account inquiries," "identification," and "material customer rights and interests." The testing is based on OWASP Mobile Top 10 and shall be documented.
      2. The futures commission merchant shall have in place a reexamination mechanism with regard to the test reports provided by a third-party testing laboratory, to ensure the testing items and contents are consistent. Such reexaminations shall be documented.
10     Management of business continuity:
  1. The company shall clearly formulate failure recovery procedures (e.g., backup and recovery plans for computer equipment, telecommunications equipment, power systems, databases, and computer operating systems), and diligently implement them and retain records.
  2. Failure recovery procedures shall be tested periodically; after testing, a review meeting shall be convened to consider ways to improve shortcomings and a record of the proceedings shall be retained.
  3. Futures brokers shall have backup measures in place for their trading servers.
  4. The company shall formulate a business continuity plan (covering such matters as activation conditions, participating personnel, emergency response procedures, backup procedures, maintenance schedules, education and training, descriptions of job duties, response plans of outside entities with which the company does business, and contract suitability) and the maintenance measures necessary for the plan, and to prescribe the key operations and related impact analyses, followed by business continuity operation exercise, that will take place regularly, according to its information security level.
  5. The company shall adopt an information security reporting mechanism (e.g., formal reporting procedures and contact persons for information security incident reports), and is advised to take appropriate corrective procedures for information security incidents relating to its information system and to retain related records.
  6. If the company experiences any information security event such as theft, alteration, damage, loss, or disclosure of personal information, it shall immediately report by official letter to the Taiwan Futures Exchange, which shall forward the report to the competent authority.
  7. The company shall clearly formulate operational procedures for defending against and responding to distributed denial-of-service (DDoS) attacks.
  8. The company shall carry out the following information security protection matters:
    1. Designate the personnel and the department to handle overall planning and to coordinate and liaise with all relevant departments.
    2. Periodically evaluate the core business systems and equipment, take appropriate measures based on the evaluation findings, and report to the board of directors, to ensure business continuity and operational resilience.
    3. In the sustainability report, annual report, financial report, or company website, disclose the resources required for the continuity of operation of the company's core business systems and equipment for the fiscal year and the items implemented in the annual budget or education and training or other related programs.
11     Compliance:
  1. A company shall regularly (at least annually) carry out an information security audit (either in-house or outsourced to an outside professional organization) and keep an audit log.
  2. Does the company monitor corrective action taken in response to the aforementioned information security audits (including audit summaries, scope of audits, description of deficiencies, and recommendations for improvement)?
12     Application of emerging technology:
  1. Cloud services:
    1. When a company is a user of cloud services, it shall adopt cloud computing service operation security rules. These rules shall include the mechanisms for selecting a cloud service provider, audit measures, backup and recovery mechanisms, service level (including information security protection), and recovery time requirements. If there is a likelihood of a cloud service provider not meeting the company's needs, the company must have other compensatory measures in place.
    2. When a company is a provider of cloud services, it shall adopt cloud computing service security control measures. These measures shall include items regarding legal compliance, access control, allocation of authorities and duties, and information security protection, among others. If the transmission of sensitive data is involved, the service provider shall use hypertext transfer protocol secure (HTTPS), secure file transfer protocol (SFTP), or other encryption protocols.
  2. Social media:
    1. The company shall adopt information security rules for social media and regulations governing the use of social media, which shall include the following content:
      1. Definition of which business related information may be shared on official-use social media.
      2. Definition of the difference between private-use and official-use social media, as well as matters for attention.
    2. The company shall assess the degree of risk associated with allowing employees to use social media, including: data leaks, social engineering, and malware attacks, and shall adopt appropriate security control measures.
    3. The company shall adopt information security rules and regulations governing the operation of official social media, which shall include the following content:
      1. The privacy policy for the social media operated by the company shall be understood in advance, and a regular (once annual) review shall be made of any changes to the policy and the associated risks shall be evaluated.
      2. When the company's official website provides users with a link to external social media, a prompt window shall appear informing users that the social media is not part of the company's website.
      3. The social media operated by the company shall indicate the name and contact information of the futures commission merchant, to distinguish it as the official social media of the company.
      4. The company shall establish an account access management system, which it shall use to control and monitor the content that is issued on the company's social media, and to give notice of or handle inappropriate statements or abnormal incidents.
  3. Mobile devices:
    1. The company shall adopt information security rules and regulations governing mobile devices for company business, which must include the following items:
      1. Regulations governing mobile device equipment shall contain rules relating to applications for and the use, update, return, and audit of such devices.
      2. When there is a change in personnel at the company, procedures for the reallocation or clearing of devices shall be conducted, in order to ensure the security of the mobile device environment.
      3. Personnel who use company-issued mobile devices shall avoid installing mobile applications or programs that are not officially released, or shall only install those mobile applications and programs that are listed as tested and approved for installation by the company.
    2. The company shall adopt information security rules and regulations governing mobile devices carried by employees on their person, which must include the following items:
      1. The company shall specify the purposes for which mobile devices carried by employees are required to be used.
      2. The company shall sign an agreement on the use of mobile devices with those employees who have them, which shall include: use restrictions and the responsibilities of both parties.
      3. The company shall restrict any activity involving the use of internal information equipment to privately access the Internet through mobile devices carried by employees.
  4. Internet of Things:
    5. The company shall adopt information security rules and regulations relating to the Internet of Things, which must include the following items:
    1. The company shall establish an Internet of Things device management list and update it at least once a year, and shall change the initial passwords used for the devices.
    2. The Internet of Things devices shall be equipped with a security update mechanism, which shall update regularly (once a year). If there exists a known vulnerability that prevents a device from updating, the company shall establish a compensatory control mechanism.
    3. The company shall shut off any connections or services on the Internet of Things devices that are not necessary, and avoid using any Internet location that is open to the public.
    4. If the company and the provider of Internet of Things devices sign an agreement, the content of the agreement should include a clause relating to information security that expressly specifies relevant responsibilities (e.g., service pledge, security update period, voluntary notification of any known information security vulnerabilities and provision of relevant contingency management plans), to ensure that no known security vulnerabilities exist on the devices.
    5. When procuring Internet of Things devices, the company is advised to make it a priority to procure such Internet of Things devices with information security certification.
    6. The company shall regularly conduct information security education and trainings for users and management personnel of Internet of Things devices.
  5. Remote working:
    1. The company shall install information security-related software on equipment used for remote working and control access permissions for applications to mitigate the risk of information leakage.
    2. The company shall set system function permissions for work-at-home employees based on business scope and access controls.
    3. The company shall set connection time period limits and related regulations according to the content of the business performed by employees.
    4. The company shall keep records of and track remote working employee user logins to the system, computer equipment operations, and transaction records.
    5. The company shall adopt a multi-factor authentication mechanism (employee account and password, dynamic password, one-time password) and establish a secure remote network channel to mitigate the risk of account and/or password counterfeiting or theft.
    6. The company shall block malicious or unauthorized connections and adopt the principle of least privilege to set remote account access rules.
    7. The company shall regularly update the security control measures for VPN connections and other remote connection systems.
    8. The company shall establish protection measures for the security of customer privacy, information, and records.
    9. The company shall promote greater awareness of information security and educate remote working employees to stay alert to network risks and other information security mechanisms.
13     Other: Provision of information:
  1. All important laws, regulations, bylaws, and notices shall be promptly posted on a public bulletin board.
  2. A dedicated bidding terminal may not be installed in a reading room.
  3. Real-time futures and options trading data posted on the company's website shall be provided by a data company that has entered into a contract with the Taiwan Futures Exchange.
  4. Information provided to the public on the company's website shall be inspected regularly, and information that is confidential or sensitive shall be promptly removed.
Top