S
M
L

Search Result

Title Operating Procedures for the Assessment of Information and Communication Security of Information and Communication Systems by Futures Commission Merchants CH
Date 2025.10.13 ( Announced )

Article Content

1     Foreword
    To ensure that the information and communication systems provided by a futures commission merchants possess consistent fundamental system security protection capabilities, these Operating Procedures are established to identify information security threats and vulnerabilities through various information and communication security assessment operations. The aim is to implement both technical and managerial control measures to improve and enhance the security protection capabilities of networks and information and communication systems.
2     Scope of Evaluation
  1. Futures commission merchants shall, in accordance with the "Establishment of an Information and Communications Security Inspection System for Futures Commission Merchants," develop an assessment plan for their overall information and communication systems (including self-developed and outsourced systems) on the basis of these Operating Procedures. To ensure business continuity and protect client rights and interests, futures commission merchants shall classify information assets according to their importance and impact level, conduct information and communication security assessments regularly and by classification, present an "information and communication system information and communication security assessment report," implement corrective and preventive measures, and perform regular follow-up reviews. A foreign futures commission merchants may follow its own information security checkup operating rules if they are better; otherwise, they shall comply with domestic regulations. Futures commission merchants operating on a concurrent basis shall follow the rules applicable to their primary line of business; in the absence of such rules, these regulations shall apply.
  2. The assessment plan and results shall be submitted to the board of directors or approved by a managerial department authorized by the board, provided in the event of a Taiwan branch of a foreign futures commission merchants, such may be carried out by the responsible person of the branch. The assessment plan shall be reviewed at least once every three years.
3     Classification and Assessment Cycle of Information and Communication Systems
  1. Information and communication systems are classified into three categories based on their importance:

    2. (Please refer to the attachment)

  2. Testing may be conducted by sampling where the equipment comprise a multitude of systems and the economic rights of such equipment are owned by the company. The sampling rate shall be at least 10% of all the equipment in the system or a minimum of 100 units each time.
  3. Where a material information and communication security incident occurs in a single system and is confirmed to constitute a personal data breach or a hacker attack, an information and communication security assessment must be re-conducted and completed within three months.
Attachment
4     Information and Communication Security Assessment
  1. Information architecture review
    1. Review the network architecture configuration, appropriateness of the information equipment security management rules etc., to assess potential risks and take necessary countermeasures.
    2. Review the maximum impact of single points of failure and risk-bearing capacity.
    3. Review the adequacy of measures taken in connection with business continuity.
    4. Timely refer to information security threat intelligence and protection recommendations published by the Financial Information Sharing and Analysis Center (F-ISAC) and implement relevant measures.
    5. Review whether servers are segmented by network segments according to the classification of information and communication systems, system functions, or service characteristics.
    6. Review whether boundary protection equipment (including gateways, routers, firewalls, protective devices etc.) and external network connection points have firewalls to control data transmission and resource access between the intranet and the internet, and restrict unnecessary connected parties and connection services.
  2. Network activity review
    1. A.Review access logs and account authorizations for network equipment, servers, and IoT equipment to identify anomalies and verify alert mechanisms.
    2. Review monitoring logs of information security equipment (such as firewalls, intrusion detection or prevention systems, anti-malware, data leakage prevention, spam filtering, phishing detection, web protection etc.) to identify anomalies and verify alert mechanisms.
    3. Examine the network for abnormal connections or unusual Domain Name System Server (DNS Server) queries, or monitor incoming and outgoing traffic, and cross-check against known malicious IPs, proxy servers, or patterns consistent with malicious network behavior.
    4. Review whether measures are established for detecting and handling counterfeit websites.
  3. Inspection of network equipment, servers, endpoint and communication, and IoT equipment etc.
    1. A.Conduct vulnerability scanning and remediation operations for network equipment, servers, endpoint equipment, and IoT equipment etc.
    2. Inspect terminals and servers for the presence of malware.
    3. Inspect the complexity of system account login passwords; review the storage protection mechanisms and access controls for external connection passwords (such as File Transfer Protocol (FTP) connections, database connections etc.).
    4. When performing IoT equipment inspections, follow the Establishment of an Information and Communications Security Inspection System for Futures Commission Merchants.
  4. The following shall be carried out in regard to network equipment, servers, and IoT equipment etc. that are accessible directly from the internet:
    1. A.Conduct penetration testing.
    2. Perform source code scanning or black-box testing of server application systems.
    3. Review access authorizations for server directories and web pages.
    4. Verify whether anti-tampering mechanisms for external websites and web pages are established.
    5. Inspect the systems for abnormal authorized connections, unusual CPU resource consumption, and anomalous database access activities etc.
  5. Client-side application testing
    6. Futures commission merchants and client-side applications shall use encrypted connections. The following tests shall be conducted on applications delivered by futures commission merchants to clients:
    1. Vulnerability scanning where HTTPS or SFTP is provided.
    2. Source code scanning or penetration testing.
    3. Sensitive data protection testing (such as memory, storage media).
    4. Key protection testing.
    5. Implementation of the principle of least privilege, allowing users only the authorized access and control necessary to perform their assigned tasks and business functions.
  6. Security configuration review
    1. Review server settings (such as Active Directory) related to password principles and account lockout principles.
    2. Examine whether the firewall has security-risk ports or unnecessary ports open, and whether connection settings have security vulnerabilities.
    3. Review system access restrictions (such as Access Control Lists) and privileged account management.
    4. Examine update settings and status of operating systems, antivirus software, office software, and application software etc.
    5. Review security measures for key storage protection mechanisms and access controls etc.
    6. Verify that user identity is authenticated in the event of connection from the internet to the company's intranet.
  7. Measures against breaches of the reliability and security of information and communication systems:
    1. The company shall develop relevant countermeasures to enhance the reliability of its information and communication systems. These measures shall include:
      1. Enhancing hardware reliability: Including countermeasures to prevent hardware failures and the setup of backup hardware equipment.
      2. Enhancing software system reliability: Including measures to improve software development quality and software maintenance quality.
      3. Measures to improve operational reliability.
      4. Early detection and early recovery measures against failures.
      5. Disaster response measures.
      6. A verification plan must be established for system backup media for backups, and the reliability of the backup media and the integrity of information must be validated.
    2. The company shall develop relevant countermeasures against information and communication security breaches. These measures shall include:
      1. Data protection: Including measures to prevent leakage, or destruction or tampering, along with corresponding testing measures.
      2. Prevention of illegal use: Including access authorization verification, restriction of application scope, prevention of illegal forgery, limitation of internet access, and detection and response measures.
      3. Prevention of illegal applications: Including defense, detection, and recovery measures.
    3. Review whether the information and communication systems comply with the requirements of the Establishment of an Information and Communications Security Inspection System for Futures Commission Merchants and related directives of competent authorities.
    Category I, Category II, and Category III information and communication systems shall all be incorporated into the information security assessment procedure based on the assessment items mentioned in the preceding paragraph, to ensure the effectiveness of the assessment.
5
6
7
8
Top