S
M
L

Search Result

Title Reference Guidelines on the Cybersecurity Protection of Service Enterprises in Securities and Futures Markets CH
Date 2022.04.26 ( Announced )

Article Content

Chapter 1 General Provisions
Article 1     (Purpose)
    For the purpose of strengthening the information and communication security of securities firms, futures commission merchants, and securities investment trust and consulting enterprises, these cybersecurity protection reference guidelines are drafted addressing cybersecurity risk issues in accordance with the financial data security action plan of the Financial Supervisory Commission to improve data security of financial enterprises.
Article 2     (Applicability and Parties Governed)
    Parties governed by these guidelines include securities firms, futures commission merchants, securities investment trust enterprises and securities investment consulting enterprises and are divided into two types as below:
  1. Type 1:
    1. organizations appointing a chief information security officer in accordance with Article 36-2 of the Regulations Governing the Establishment of Internal Control Systems by Service Enterprises in Securities and Futures Markets.
    2. tiers 1, 2, and 3 securities firms in the Establishing Information Security Inspection Mechanisms for Securities Firms - Schedule for Required Measures under Tiered Protection.
    3. tiers 1, 2, and 3 futures commission merchants in the Establishing Information Security Inspection Mechanisms for Futures Commission Merchants - Schedule for Required Measures under Tiered Protection.
  2. Type 2:
    3. non-type 1 organizations.
  3. If the data security management policy of a Taiwan subsidiary or branch of a foreign group is controlled and established by the foreign parent company or head office, the relevant control measures established or set up by the parent company or head office prevail if they provide for better regulation. Taiwan laws and regulations shall be observed if no such measures are in place.
  4. The reference guidelines below address matters to be observed by types 1 and 2 organizations unless otherwise specially remarked.
Article 3     (Definitions)
  1. Information and communication system:
    2. A system used for collecting, controlling, transmitting, storing, circulating, deleting information or otherwise processing, using, and sharing information.
  2. Access:
    3. Access of an information asset by various means, including acquisition, use, safekeeping, inquiry, revision, adjustment, destruction, etc.
  3. Network equipment:
    4. Components for network communication which are required for transmitting data, programs, services, and multimedia, such as firewalls, routers, switches, etc., as also included in the network diagram of an organization.
  4. Information and communication security event:
    5. An event where a system, service, or network is found upon evaluation to show signs of a possible breach of the information and communication security policy or failure of a protective measure, which impacts the operation of the information and communication system, constituting a threat against the information and communication security policy.
  5. Information asset:
    6. An asset pertaining to the processing of information, including hardware, software, data, documents, and personnel, etc., such as information of the operating system, applications, and other software of a server or a user's computer.
Chapter 2 Network Infrastructure and Cybersecurity Management
Article 4     (Definition of Network Infrastructure)
  1. A network infrastructure enables an organization to consider business maintenance and operation and information and communication security more comprehensively when the organization is devising its business operation system and structure.
  2. A network diagram shall indicate the equipment of the network environment essential to the maintenance of business operation, such as firewalls, routers, switches, system equipment, wiring, servers and services, wireless networks. Relevant files and records shall be available of proposed network segments and routing, host address, and backup cables.
Article 5     (Network Segmentation)
  1. Work areas shall be divided and isolated by network segmentation to ensure network infrastructure security.
  2. For the purpose of maintaining business operation, the network shall be segmented into, for example, Delimitarised Zone (DMZ), Production (Prod.), Unit Test (UT) or User Acceptance Test (UAT), and others.
  3. An organization shall define the extranet and intranet. The extranet is connected to the Internet, while the intranet is a server-equipped area between personnel and internal services of the organization. Traffic from the extranet to the intranet is subject to access control to avoid unsanctioned services.
  4. Segregation by a virtual local area network, or VLAN, is advised for intranet segments of an organization. The intranet may be segmented according to the internal units, departments, business natures, etc. of the organization, with restrictions imposed on access among different VLANs.
  5. An organization shall isolate services whose access is restricted and specific services by appropriate means. Information personnel shall, depending on the way of segregation, review the firewall rules or access control list (ACL) periodically.
Article 6     (Network Equipment Protection Standards)
  1. An organization shall avoid using end-of-service (EOS) or end-of-life (EOL) network equipment and devise replacement related plans with regard to such equipment.
  2. An organization shall check for official releases of updates to software, firmware, vulnerability remediation programs and, upon evaluation, update network equipment to the current version or the supplier proposed version.
  3. An organization shall implement identity verification when it performs remote maintenance of the system through connection by the Internet to the intranet.
  4. The protection standards applicable to all the network equipment of an organization are governed by the Reference Guidelines on the Protection of the Information and Communication Systems of Service Enterprises in Securities and Futures Markets.
Article 7     (Wireless Networks)
  1. Security protocols in force as have been publicly ratified and containing no vulnerability shall apply to the protection of access to wireless networks which an organization makes available to external/internal personnel.
  2. An organization shall formulate wireless network password rules to minimize the risk of cracking.
Article 8     (Access by External Equipment of the Intranet)
    If an organization permits external/internal personnel to use external equipment to access the intranet, it shall submit an application and inspect the security and authorization of the equipment and also restrict access.
Chapter 3 Network Equipment Security Management
Article 9     (Network Equipment Management)
  1. The administrator account of a network equipment administrator shall be used by the administrator only and not be a joint account. Principles for the setting of the password of the administrator account shall conform to the organization's identification verification regulations.
  2. An organization shall limit personnel managing and using network equipment, the relevant equipment, IP, and network segments, or adopt measures such as a one-time password (OTP) or temporary privileged access, and retain records of operation by personnel using said network equipment.
  3. Upon the release of a network equipment service program, a network equipment administrator shall obtain said program and, upon evaluation, update its network equipment service programs.
Article 10     (Management of Network Equipment Rules)
  1. Amendments to network equipment rules (network access rules, firewall rules, etc.) shall be made upon a review of user needs and evaluation of the level of risk to information and communication security, and be documented for reference, in the event of any addition, change, or deletion thereto.
  2. Network equipment rules shall be established granting users the least privilege and using positive lists in principle.
  3. An organization shall review network equipment rules at least once a year, evaluating their adequacy and removing unnecessary provisions.
Article 11     (Network Equipment Logs)
  1. An organization shall keep network equipment logs, comply with internal backup regulations, and perform regular reviews to ensure applicability. Such logs shall be retained for at least six months for reference.
  2. Network equipment logs shall be protected against unauthorized access.
Article 12     (Outsourcing of Network Equipment Management)
    An organization shall follow the Reference Guidelines on the Supply Chain Risk Management of Service Enterprises in Securities and Futures Markets if it is to outsource the maintenance and operation or management of all its network equipment to external contractors.
Chapter 4 Security of Network Connection
Article 13     (Security Certification of Network Connection)
  1. An organization shall ensure the validity and legitimacy of SSL/TLS certificates to maintain the security of network connection.
  2. Where an organization offers online ordering service, it shall set forth a certification delivery procedure to prevent third parties from obtaining certification and also deliver certification through a factor authentication (e.g. OTP, SIM, verification) different from the two-factor authentication, and shall completely employ the verification mechanism.
Article 14     (Network Transmission and Connection Security Management)
  1. An organization shall use relatively secure encrypted connections in offering internal/external services without affecting operation.
  2. An organization using a dedicated network line to connect to the network of a third party with which it collaborates shall install a firewall and close non-agreed ports to ensure intranet security of the organization.
  3. A securities firm or futures commission merchant offering online ordering service shall encrypt the screen.
  4. In the event of the international transmission of classified data, an organization shall develop an encrypted transmission mechanism, and, if client information is involved, obtain the authorization from the subject prior to transmission, not violate any restriction of a competent authority on international transmission, and keep complete audit records.
Article 15     (Remote Connection)
  1. An organization shall set forth remote connection regulations, restrictions on use, configurations, and requirements for connection, create documentation, develop a secure remote connection mechanism, including multi-factor authentication (employee account passwords, dynamic passwords, one-time passwords), encrypt connection, adopt the least privilege principle, retain complete audit trails of user operations, monitor and alert anomalies, update security vulnerabilities, and take other security measures, and also retain relevant records for re-examination by a competent supervisor.
  2. An organization must limit login allowing connection only by personnel within the organization, keep complete records of the trails of operation of equipment, and prescribe the time of availability of connection according to the operating hours in regard to duties.
  3. An organization must prevent malicious or unauthorized connection through a secure connection mechanism, set forth rules in accordance with the least privilege principle, close unnecessary ports, and monitor network traffic and the anomaly alert and disconnection mechanism.
  4. An organization must adopt differential management for users with regard to access privileges in accordance with the least privilege principle, allowing only access necessary for the conduct of business and disabling access to unnecessary system functions.
Chapter 5 Cyberattack Protection Mechanism and Security Testing
Article 16     (Cyber-threat Protection Mechanism)
  1. A type 1 organization shall develop a cyber-threat protection mechanism to maintain business operation, e.g., intrusion detection and prevention mechanism, preventive measures against advanced persistent threats, and other protective mechanisms. A type 2 organization shall evaluate such development.
  2. A securities firm or futures commission merchant with online ordering service or an official website shall develop a protective mechanism against distributed denial-of-service attacks.
  3. A web application firewall shall be developed in the event an information and communication system offering external services is available.
Article 17     (Security Testing)
  1. An organization shall assess periodically the security of its own network environment, e.g., operating system, server, browser, firewall, and antivirus versions, etc.
  2. An organization shall remediate security vulnerabilities in the network environment periodically and retain relevant documents.
  3. A penetration test shall be administered on an annual basis in relation to the information and communication system of a type 1 organization. A type 2 organization shall evaluate whether to administer such periodic test.
  4. A type 1 organization shall perform an information and communication security health check on an annual basis, including inspection of the network infrastructure, malicious cyber activity, malicious activity of the user computer, malicious activity of the hosting server, directory server settings, and firewall connection settings. A type 2 organization shall evaluate whether to perform such periodic check.
Chapter 6 Event Detection and Management
Article 18     (Event Detection)
  1. An organization shall develop a security operations center, including gathering event data, performing anomaly analyses, and detecting and determining threats.
  2. An organization shall detect links to phishing websites and malicious websites and remind users against phishing.
Article 19     (Report of and Response to Events)
  1. An organization shall develop an information and communication security event internal report mechanism, consisting of formal report procedures and the contact to whom such event is to be reported.
  2. Should an information service anomaly or information and communication security event affecting client rights and interests or normal operation occur, the Guidelines for Reporting and Responding to Securities and Futures Market Information and Communication Security Events and appropriate response procedures apply, and records shall be kept.
  3. An organization shall immediately report any material personal data security event occurring to it to the competent authority. Such event denotes a situation where personal data are stolen, altered, damaged, lost, or leaked, jeopardizing the organization's normal operation or the rights and interests of a massive number of parties.
Top