S
M
L

Search Result

Title Reference Guidelines on the Protection of the Information and Communication Systems of Service Enterprises in Securities and Futures Markets CH
Date 2022.04.26 ( Announced )

Article Content

Chapter 1 General Provisions
Article 1     (Purpose)
    For the purpose of strengthening the information and communication security of securities firms, futures commission merchants, and securities investment trust and consulting enterprises, these information and communication system protection reference guidelines are drafted addressing security issues concerning information and communication systems in accordance with the "financial data security action plan" of the Financial Supervisory Commission to improve data security of financial enterprises.
Article 2     (Applicability and Parties Governed)
    Parties governed by these guidelines include securities firms, futures commission merchants, securities investment trust enterprises and securities investment consulting enterprises and are divided into two types as below:
  1. Type 1:
    1. organizations appointing a chief information security officer in accordance with Article 36-2 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets
    2. tiers 1, 2, and 3 securities firms in the Establishing Information Security Inspection Mechanisms for Securities Firms - Schedule for Required Measures under Tiered Protection
    3. tiers 1, 2, and 3 futures commission merchants in the Establishing Information Security Inspection Mechanisms for Futures Commission Merchants - Schedule for Required Measures under Tiered Protection
  2. Type 2:
    3. non-type 1 organizations
  3. The reference guidelines below address matters to be observed by types 1 and 2 organizations unless otherwise specially remarked.
  4. If the data security management policy of a Taiwan subsidiary or branch of a foreign group is controlled and established by the foreign parent company or head office, it should follow the relevant control measures established or set up by the parent company or head office prevail if they provide for better regulation; if no such measures are in place, the policy shall be in accordance with the Taiwan laws and regulations.
Article 3     (Definitions)
  1. Information and communication system:
    2. A system used for collecting, controlling, transmitting, storing, circulating, deleting information or otherwise processing, using, and sharing information
  2. Core system:
    3. An essential system that is directly available to a client for trading purposes or that supports the continued operation of trading businesses, such as a trading system, quotation system, middle office risk control, after-hour clearing system, billing system, and other essential systems maintaining trading businesses. The others are non-core systems.
  3. Non-client account:
    4. An information and communication system account used by a non-client, such as one available to an internal staffer, administrator, and manufacturer.
  4. Information asset:
    5. An asset pertaining to the processing of information, including hardware, software, data, and documents, etc., such as information of the operating system, applications, and other software of a server or a user's computer.
Chapter 2 Access Control
Article 4     (Account management)
  1. An organization shall establish the information and communication system account management mechanism, covering procedures for the application, creation, change, activation, deactivation, and deletion of an account.
  2. The information and communication system account approved by an organization for temporary or emergency use shall be deleted or banned after the operation ends.
  3. An organization shall ban an idle information and communication system account.
  4. An organization shall review the appropriateness of information and communication system accounts and authorizations.
  5. A type 1 organization shall define the idle time or available time of a core system and the status and conditions of use of said system, such as account type and restrictions on its functions, restrictions on operating hours, restrictions on the source IP address, number of connections, and accessible resources, etc.
  6. If a core system of a type 1 organization operates beyond the permitted idle time or available time prescribed, it is advisable for the system to log the user account out automatically.
  7. A type 1 organization shall use a core system in accordance with the circumstances and conditions prescribed by the organization.
  8. An organization offering online ordering services shall monitor and analyse on a daily basis records of log-in attempts, etc. with regard to a core system account and a non-client account, and shall report any irregular use discovered to the manger and follow up.
  9. No organization may use a client's explicit data such as uniform business number, identity card number, mobile phone number, email address, credit card number, savings account number, etc. as sole identification, or it shall separately create a user code for identification purposes.
Article 5     (Least Privilege)
  1. The information and communication system account shall be least privileged in principle, only authorizing access to users (or processes acting on behalf of users) for completing an operation as necessary according to the authority and responsibility and business function of each department of the organization.
  2. An organization shall define the roles and duties of its personnel and segregate conflicting roles.
Article 6     (Remote Access)
  1. An organization shall prescribe remote connection regulations setting forth restrictions on use, configuration requirements, connection requirements, and documentation. Prior authorization shall be obtained, and records kept, for any type of remote access permitted.
  2. An organization shall complete at server side the verification of an authorized log-in of the information and communication system account.
  3. An organization shall monitor the connection of an external network that remote-connects and accesses the organization's internal network segment.
  4. The information and communication system shall use an encrypted connection mechanism.
  5. The source of remote access to the information and communication system shall be an access control point approved by the organization.
Chapter 3 Incident Logs and Accountability
Article 7     (Incident Records)
  1. An organization shall set forth the recording frequency and retention policy of the computer audit records (logs) of the information and communication system and retain such records for a minimum of three years.
  2. The information and communication system shall be equipped with the function of recording specific incidents and determine the specific information and communication incidents to record.
  3. The information and communication system shall record the various functions executed by the administrator account and re-examine on a daily basis the results of any use of the most privileged account of a core system and a core system privileged account with special functions (such as a program or software change, modification of privilege level of a parameter or configuration).
  4. An organization shall review on a regular basis the computer audit records (logs) generated by a core system. Regular reviews of non-core systems are advised.
Article 8     (Content and Capacity of Computer Audit Records (Logs))
  1. A computer audit record (log) generated by the information and communication system shall include information pertaining to the incident such as the type, time, location, and user identification. Day logs are advised to ensure consistency. Other relevant information shall be incorporated in accordance with the information and communication security policy set forth by the organization, laws and regulations, and business needs of the organization.
  2. The information and communication system shall provide the storage capacity required for storage of computer audit records (logs).
Article 9     (Responses to Processing Failure of Computer Audit Records (Logs))
  1. An organization shall take appropriate action when processing of computer audit records (logs) of the information and communication system fails.
  2. When an incident occurs where processing of computer audit records (logs) fails of which an immediate alert is required in respect of a core system of a type 1 organization, it is advisable for the core system to give a warning to specific personnel within the time prescribed by the organization.
Article 10     (Timestamps and Synchronization)
  1. The information and communication system shall use timestamps required for computer audit records (logs) as produced by the internal clock of the system and be able to correspond to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
  2. The internal clock of the information and communication system shall be calibrated to the sources of mean time on a regular basis.
Article 11     (Protection of Information of Computer Audit Records (Logs))
  1. For management purposes, access to computer audit records (logs) is limited to authorized users only.
  2. A core system shall apply hashing or other appropriate comprehensive mechanism of protection. A comprehensive mechanism of protection is advised for a non-core system
  3. A core system of a type 1 organization shall make a regular backup of computer audit records (logs) in other external physical systems.
Chapter 4 Business Continuity Plan
Article 12     (System Backup)
  1. An organization shall prescribe the duration of the information and communication system's tolerance of data loss.
  2. An organization shall make a backup of the source codes and data of programs of the information and communication system.
  3. An organization shall test the backup information of the information and communication system on a regular basis to verify the reliability of the backup media and exhaustiveness of the information.
  4. A core system of a type 1 organization shall restore backups as part of the test of the business continuity plan.
  5. A core system of a type 1 organization shall store backups of important information and communication system software and other security related information in independent facilities or fireproof cabinets at a location different from that of the operating system.
Article 13     (Redundancy)
  1. An organization shall prescribe the tolerable time from interruption to recovery of the information and communication system.
  2. When a service of the information and communication system is interrupted, an organization shall render the service using backup equipment or other means within the tolerable time.
  3. An organization shall develop contingency procedures to respond to material information system incidents or acts of God and shall confirm the corresponding resources to ensure reasonable impact of a material disaster on major operations and businesses.
Chapter 5 Identification and Authentication
Article 14     (Identification and Authentication of Internal Users)
  1. The information and communication system shall be equipped with a unique function to identify and authenticate internal users of an organization (or processes acting on behalf of organization users), banning the use of joint accounts.
  2. Multi-factor authentication shall be applied when the administrator account is used to log in a core system through the Internet. Multi-factor authentication is advised for access by internal users to a core system of a type 1 organization.
Article 15     (Management of Identify Verification)
  1. After logging in the information and communication system with a default password, a user shall immediately request to change the password to continue.
  2. Information pertaining to the identity verification of the information and communication system is not transmitted in cleartext.
  3. The information and communication system is equipped with an account lockout mechanism. No further login to the same account or application of the validation failure mechanism developed by an organization at least within 15 minutes is allowed after three failed identity verification attempts in respect of an account login. In the event of an electronic transaction, a login failure incident shall be recorded, the login account shall be locked out, and the connection shall be disconnected, after three failed attempts to enter the password. When an unlock application is processed, the precise identity shall be verified, and a relevant record kept, before the system can be unlocked.
  4. When a password is used for verification, the lowest password complexity shall be prescribed; restrictions on the maximum and minimum number of days a password may be used shall be imposed.
  5. When a password is changed, the new password at least may not be the same as the previous three passwords used.
  6. With regard to the measures listed in the preceding two paragraphs, regulations set forth by an organization may apply to non-internal users.
  7. The identity verification mechanism of a core system shall prevent logins of automated programs or attempted password changes. It is advisable for a non-core system to prevent logins of automated programs or attempted password changes.
  8. The password reset mechanism of a core system shall, upon re-confirming the identity of a user, send a one-time time-sensitive token (such as network connection or one-time password (OTP) to the registered email box or mobile phone of the user) or adopt other identity verification method. It is advisable for a non-core system to have an identity verification method in place after the password is reset.
Article 16     (Authenticator Feedback and Cryptographic Module Authentication)
  1. An organization shall redact information in the course of authentication of the information and communication system.
  2. Passwords used by an organization for authentication of the information and communication system shall be encrypted or hashed before being saved.
Article 17     (Identification or Authentication of Non-Internal Users)
    The information and communication system shall identify and authenticate non-organization users (or processes acting on their behalf).
Chapter 6 Acquisition of Systems and Services
Article 18     (System Development Life Cycle - Requirement Analysis and Design Stage)
  1. An organization shall ascertain the safety requirements (including confidentiality, availability, integrity) of the information and communication system during the stage of requirement analysis of the system.
  2. An organization shall, according to the functions and requirements of a core system, identify and perform risk analyses and assessments of threats that may impact the system. It is advisable for a non-core system to identify and perform risk analyses and assessments of threats.
  3. An organization shall reflect the results of a core system risk assessment in the items for review at the requirement stage and propose modifications to the safety requirements. It is advisable for a core system to so modify according to the risk assessment results.
Article 19     (System Development Life Cycle - Development and Testing Stage)
  1. The information and communication system shall implement necessary control measures with regard to safety requirements.
  2. The information and communication system shall take notice of and prevent common software flaws and implement necessary control measures.
  3. When an error occurs in the information and communication system, the user page only shows a short error message and code, excluding details of the error.
  4. It is advisable for an organization offering online ordering services to perform "source code scan" for purposes of safety testing of its core systems.
  5. It is advisable for the core systems of a type 1 organization to be equipped with an alert mechanism against serious errors.
  6. An organization offering online ordering services shall perform regular vulnerability scans of the information and communication system (at least on a biannual basis) for purposes of safety testing.
  7. An organization offering online ordering services shall perform regular penetration tests on the core systems which offer online services for purposes of safety testing.
Article 20     (System Development Life Cycle - Deployment, Maintenance and Operation, and Outsourcing Stage)
  1. An organization shall update and rectify the information and communication system against relevant security threats and flaws and also disable unnecessary services and portals in the deployment environment.
  2. An organization shall inspect the existing information and communication system, set and use quality passwords, and avoid using default passwords.
  3. An organization shall implement version control and management revision during the maintenance and operation stage of the development life cycle of the information and communication system.
  4. If an organization outsources the development of the information and communication system, it shall incorporate by level the safety requirements (including confidentiality, availability, integrity) of the system of each stage of the development life cycle in the outsourcing contract.
Article 21     (Acquisition Process and System Documents)
  1. The official operating environment of the information and communication system shall be separated from the development and testing environments.
  2. An organization shall store and mange documents pertaining to the development life cycle of the information and communication system.
Chapter 7 System and Communication Protection
Article 22     (Confidentiality and Integrity of Transmission and Safety of Data Storage)
  1. A core system shall adopt an encrypted transmission mechanism for the transmission of personal or classified data through the Internet, to prevent unauthorized information disclosure or detect information changes.
  2. It is advisable for a core system of a type 1 organization to adopt an encrypted transmission mechanism for the transmission of personal or classified data through the Intranet.
  3. No such encryption as described in the preceding two paragraph is necessary if physical protective measures are available as substitutes in the course of transmission.
  4. In the event of the international transmission of classified data, an organization shall develop an encrypted transmission mechanism and confirm the compliance of the collection, processing, use, international transmission, and control of client information by an entrusted institution (the head office or an overseas subsidiary to which a foreign organization outsources information processing offshore due to division of work) with the applicable provisions of the Personal Data Protection Act of the R.O.C. Authorization from the subject shall be obtained prior to transmission. No restriction of a competent authority on international transmission may be violated. Complete audit records shall be kept.
  5. The encryption mentioned shall use algorithms that are public, certified by international institutions, and not cracked.
  6. Encryption GoldKeys or certificates shall be replaced periodically.
  7. It is advisable for an encryption mechanism to support a GoldKey with the maximum length from an algorithm.
  8. It is advisable that regulations be set forth and necessary safety protection measures be implemented for the safekeeping of the GoldKey server side of an encryption system.
  9. Important files of configuration settings and other information requiring protection that are contained in a core system of a type 1 organization shall be encrypted or otherwise appropriately stored.
  10. Encryption and decryption programs or public chmod programs (such as database tools) shall be subject to control with restrictions on their use to prevent unauthorized access and keep audit trails.
Chapter 8 System and Information Integrity
Article 23     (Flaw Remediation)
  1. Flaw detection of the information and communication system conducted by an organization shall cover all information assets in principle. In flaw remediation, effectiveness and potential impact shall be tested. Regular updates shall be made.
  2. An organization shall ascertain periodically the status of flaw remediation pertaining to the information and communication system and prescribe a time limit for remediation by the level of risk of the flaw discovered and whether external services are offered. Protection and detection of irregularities shall be strengthened before remediation, to ensure prompt and effective vulnerability management.
Article 24     (Monitoring of the Information and Communication System)
  1. A report shall be made to specific personnel of an organization if the information and communication system shows signs of being hacked.
  2. An organization shall monitor the core systems to detect attacks and unauthorized connection and identify any unauthorized use of the information and communication system. Monitoring of non-core systems is advised.
  3. It is advisable for a core system to monitor traffic using automation tools and analyse any unusual or unauthorized activity discovered.
Article 25     (Integrity of Software and Information)
  1. A core system shall use integrity validation tools to detect unauthorized change of specific software and information. It is advisable for a non-core system to use integrity validation tools.
  2. The legality of data entered by users of a core system shall be verified server side of the application system.
  3. Safety protection measures designated by an organization shall be implemented should the information and communication system discover a breach of integrity.
  4. It is advisable for the core systems of a type 1 organization to verify the integrity of software and information periodically.
Article 26     (Protection of Personal Data)
  1. The following data safety management measures shall be adopted to protect the safety of personal data held:
    1. Use of each type of equipment or storage medium shall be regulated. Appropriate measures shall be taken against data leak when any equipment or medium is discarded or used for other purposes.
    2. Appropriate measures of encryption shall be taken when personal data held that needs to be encrypted are collected, processed, or used.
    3. Where it is necessary to backup persona data in the course of operation, the backup data shall be protected appropriately.
  2. The following safety management measures shall be adopted for the relevant equipment if personal data held is stored in a hard copy, disc, magnetic film, optical disk, microfilm, integrated circuit chip, computer, automated machine or equipment, or other medium:
    1. Access shall be properly restricted.
    2. Methods of safekeeping media shall be prescribed.
    3. Appropriate protective equipment or technology shall be installed by the characteristics and environment of each medium.
  3. For the purposes of protecting the safety of personal data held, the level of authority of relevant personnel to access personal data shall be determined by the need to execute business, their access shall be controlled, and confidentiality obligations shall be entered into with the personnel.
  4. It shall be confirmed that risk assessment and control are performed of personal data held in the core systems and all computer systems.
  5. A core system or computer system shall keep audit trails of the use of personal data (such as login accounts, system functions, times, system names, inquiry commands or results) or have in place an identification mechanism to facilitate tracking of the use of personal data in the event of a leak.
  6. A data leak protection mechanism shall be established to control transmission of personal data through copying through an input/output device, communication software, or system operation to a webpage or network file, etc. The relevant records, trails, and evidence shall be retained.
  7. The following records shall be retained in the event of an erasure or suspension of processing or use of personal data held:
    1. Method and time of said erasure or suspension.
    2. Where the personal data is transferred to others after the erasure or suspension, the reason of the transfer, party to which the personal data is transferred, method of transfer, time of transfer, and legal basis for said party's collection, processing, or use.
Top