S
M
L

Search Result

Title Reference Directions for Information Operation Resilience of Service Providers in Securities and Futures Markets CH
Date 2022.08.10 ( Announced )

Article Content

Chapter One - General Provisions
Article 1     These Reference Directions for Information Operation Resilience are established in accordance with the Financial Information Security Action Plan, established by the Financial Supervisory Commission, to strengthen the information operation resilience of securities firms, futures commission merchants, investment trust and investment consulting enterprises, ensure organizations can effectively implement response measures and reduce damage to a tolerable extent in the event core systems are interrupted.
Article 2     The organizations governed by these Directions include securities firms, futures commission merchants, securities investment trust enterprises and securities investment consulting enterprises. These organizations are grouped in two categories, as described below:
  1. Category 1:
    1. Organizations that appoint the Chief Information Security Officer in accordance with Article 36-2 of the Regulations Governing the Establishment of Internal Control Systems by Service Providers in Securities and Futures Markets.
    2. Tier 1, 2 and 3 securities firms as listed in the Establishment of Inspection Mechanism for Securities Firm's Information and Communication Security - Required Actions for Tiered Protection Schedule.
    3. Tier 1, 2 and 3 futures commission merchants as listed in the Establishment of Inspection Mechanism for Futures Commission Merchant's Information and Communication Security - Required Actions for Tiered Protection Schedule.
  2. Category 2:
    3. Organizations not in Category 1.
  3. For Taiwanese subsidiaries or branches of a foreign business group whose information security, business continuity, or operation resilience management policies are controlled and established by its foreign parent company or head office, if their parent company or head office has established or created relevant control measures with better regulations, these regulations shall govern. If otherwise, local laws and regulations shall govern.
  4. Unless otherwise specified below, the following reference directions cover the compliance matters applicable to the organizations in both Categories 1 and 2.
Article 3
  1. Business continuity:
    2. Ability to handle and respond with flexibility when information operation is damaged, experiences irregularities or services are interrupted.
  2. Core business:
    3. Refers to necessary business that directly provides trading services to clients or supports continuous operation of trading business.
  3. Core system:
    4. Refers to necessary system that directly enables client trading or supports continuous operation of trading business. All other systems are non-core systems.
  4. Business impact analysis (BIA): Analysis method that identifies impacts on the organization as the period of interruption of core business lengthens.
  5. Maximum tolerable period of interruption (MPTD): The maximum tolerable period of interruption upon occurrence of interruption to the core business, with laws and regulations, revenue losses and interested party's demand being taken into consideration.
  6. Recovery Time Objective (RTO):
    1. RTO for core business: After occurrence of a disruptive incident, the target time from occurrence of the disruptive incident to core business to recovery to the minimum tolerable service level, to be determined based on the results of BIA.
    2. RTO for core system: After occurrence of a disruptive incident, the target time from occurrence of the disruptive incident to core system to recovery to the minimum tolerable service level.
    3. RTO for core system shall be shorter than or equal to RTO for core business.
  7. Recovery Point Objective (RPO):
    1. RPO for core business: The value representing the tolerable amount of data loss pertaining to core business upon occurrence of a disruptive incident to be determined based on the nature of core business, which should be decided based on the results of BIA.
    2. RPO for core system: The value representing the tolerable amount of data loss pertaining to core system upon occurrence of a disruptive incident to be determined based on the nature of core business.
    3. RPO for core system shall be less than or equal to RPO for core business.
  8. Minimum tolerable service level: The minimum operation level scheduled and expected to be returned to within the recovery time objective (RTO) specific to the applicable core business based on the recovery objective of core business.
  9. Disaster response mechanism: Response, disaster risk reduction or recovery measures applicable to relevant operation procedure of an individual system upon occurrence of irregularity or interruption of core system caused by disaster.
Chapter Two - International Business Continuity Management Standards
Article 4     International Organization for Standardization (ISO) has established the international standards regarding business continuity management. By introducing ISO22301 International Business Continuity Management Standards and obtaining relevant verifications, an organization is at a better position to refer to and adopt the best practice and strengthen its business continuity management.
  1. Securities firm: Tier 1 securities firms as listed in the Establishment of Inspection Mechanism for Securities Firm's Information and Communication Security - Required Actions for Tiered Protection Schedule (with paid-in capital of NT$20 billion or above) shall acquire international business continuity management standards; Tier 2 securities firms shall introduce international business continuity management standards.
  2. Futures commission merchants and investment trust and investment consulting enterprises: Organizations that appoint the Chief Information Security Officer in accordance with Article 36-2 of the Regulations Governing the Establishment of Internal Control Systems by Service Providers in Securities and Futures Markets shall introduce international business continuity management standards.
Chapter Three - Business Continuity Management
Article 5
  1. An organization shall create a unit responsible for business continuity management with adequate workforce, materials and financial resources in place, to be responsible for promotion, facilitated supervision and review of business continuity management matters.
  2. An organization shall establish regulations for management, trainings, exercise and response and recovery relating to business continuity, and educate all staff and suppliers involving core business and core system to make them familiar with the applicable regulations.
  3. An organization shall select individuals with appropriate powers and authorities and professional capabilities to take the role and provide necessary education trainings on a regular basis.
Article 6
  1. An organization shall identify its core business and core system annually.
  2. For Taiwanese subsidiaries or branches of a foreign business group whose core system is established at their foreign parent company or head office, after providing relevant documents based on the information and communication security regulations and mechanism established by their foreign parent company or head office, they may perform the core system evaluations only on aspects where evaluations may be performed based on the local practice.
Article 7     An organization shall conduct regular BIA on an annual basis to evaluate the degree of impact caused by interruption to core business and generate the following analysis result to help assessment of strategies for core system recovery:
  1. An organization shall identify the business nature and important characteristics of core business, and determine the maximum tolerable period of interruption (MTPD), recovery time objective (ROT), minimum tolerable service level, and recovery point objective (RPO) of core business based on the results of identification, to be used as the basis of core system recovery.
  2. An organization shall determine the recovery time objective (RTO) and recovery point objective (RPO) of core system as the basis of backup planning and implementation of recovery operation.
  3. An organization shall list priorities of what to be recovered based on the importance of core business or recovery time objective (RTO), and identify allocation of resources necessary for meeting the minimum acceptable service level (including but not limited to site, infrastructures, network, telephone lines, information and communication system, office software and hardware, office equipment, reserve fund, staff, documents and suppliers necessary for recovery).
  4. An organization shall determine the minimum tolerable service level to be timely recovered after occurrence of disaster based on its operation strategies, operation objective, organizational size and resources, to reflect the risks the organization is willing to accept.
Article 8     An organization shall create the backup and backup mechanism based on the results of BIA:
  1. An organization shall establish an adequate data backup mechanism based on the system characteristics and recovery point objective (RPO), considering backup frequency, type of storage media (optical disk, external drive, magnetic tapes), type of data (virtual DSM, source code, database, configuration files, etc.), type of backup (full backup, incremental backup and differential backup), method of backup (network synchronization, network asynchronization and offline backup).
  2. When establishing the data backup mechanism, an organization is advised to consider the "3-2-1 backup rule".
    1. Create at least three backup copies.
    2. Store backup copies separately on two different storage media.
    3. At least one copy is stored remotely.
  3. An organization shall establish the adequate system backup structure based on the system characteristics, needs of business unit and recovery time objective (RTO), such as mirror site, hot site, warm site or cold site.
  4. As part of its planning of backup and backup mechanism, an organization shall consider data traffic, backup network equipment, backup line, backup telecommunication service provider, and backup information security protection equipment.
  5. An organization shall periodically examine the on-site and remote system backup mechanism and on-site and remote data backup mechanism of core system to see if they satisfy the needs.
Article 9
  1. As part of its planning of remote server room, an organization shall comply with the building and fire protection regulations promulgated by the government, with supporting facilities being taken into consideration, including power supply, HVAC arrangement, environment monitoring and warning system.
  2. Category 1 organizations shall have remote backup server room.
  3. Category 1 organizations shall install the main server room with the infrastructure enabling backup mechanism, such as double feeder lines, uninterruptible power system (UPS) designed for server room, power generator designed for server room, two or more telecommunication operators, and two or more external network lines.
  4. Category 1 organizations shall ensure its main server room and remote backup server room have sufficient power, water and gas supplies, sufficient for 72 hours of operation in the event of a supply interruption.
  5. When evaluating relocation of an existing server room or establishment of a new server room, an organization shall consider the following:
    1. With reference to the Server Room Remote Backup Mechanism Reference Guide by the Executive Yuan, the organization shall ensure the locations of its main server room and remote backup server room are unlikely to be affected by the same interruption risk incident (for example, in the same earthquake belt, in the same power supply area), or the distance of the main server room and remote backup server room is more than 30 kilometers.
    2. An organization shall consider the geological condition, natural disaster, man-made disaster (whether in the proximity of a nuclear power plant, a factory where chemical products or explosives are processed, directly under the aviation route near an airport, hospital with high traffic of patients, area with a high public security risk), facilities (water, power, gas supplies and online connection), transportation convenience, and staff's commute time, etc. when determining the location.
    3. An organization is advised to consider if too many enterprises in the same industry are sharing the same server room.
Article 10     An organization shall create the disaster response mechanism to ensure personal injuries or losses to its core system and assets in the event of a disaster can be minimized. The mechanism shall include but not limited:
  1. To establish an internal unit relating to disaster response and business continuity with the following specific responsibilities:
    1. To deploy self-protection and fire-protection personnel.
    2. To deploy emergency reporting team or urgency action team.
  2. To identify risk scenarios that may cause interruption (including natural disasters, man-made disasters and information and communication security incident), and propose emergency response measures to avoid, prevent and respond to emergency based on various risk scenarios.
  3. To establish emergency response procedures, including escape, disaster risk reduction and evacuation as instructed by the self-protection and fire-protection team, and identify status of damage to staff, office premises, communication and information equipment and various assets.
  4. To create emergency reporting procedures and specify the entity responsible for reporting and its responsibilities.
    1. To create reporting procedures within the organization, including deployment of self-protection and fire-protection team, emergency response team or relevant responsible entities.
    2. To create procedures of reporting to external police and fire protection authorities (e.g. police department and fire brigade).
    3. To establish information security reporting mechanism (e.g. formal reporting procedures and contact person for reporting of information security breach). Information security or service abnormality relating to information system shall be handled in accordance with the Guidelines Governing Securities and Futures Market Information and Communication Security Incident Reporting and Response, and proper rectification procedures shall be taken and records shall be retained.
    4. Where reporting to competent authority or external entity such as trade associations is otherwise required by the law and regulation, relevant reporting procedures shall be established.
Article 11     An organization shall establish a business continuity plan to ensure the minimum acceptable service level can be achieved within the recovery time objective (RTO) in the event of a disaster. It shall include but not limited to:
  1. Activation conditions.
  2. Description of participants and their responsibilities.
    1. To establish a business continuity management team or business continuity management commission.
    2. To review and determine the human resources for operation and support required for recovery of the core business.
    3. To appoint the person responsible for core system recovery and their agent.
  3. Emergency response procedures and emergency reporting procedures
  4. Recovery procedures and on-site and remote system recovery procedures for the core business (such as backup and recovery plans for computer equipment, communication equipment, power system, database, and computer operation system).
  5. Frequency of maintenance work for business continuity plan.
  6. Rules for trainings on business continuity.
  7. Response planning and appropriateness of contract with external entity.
Article 12     An organization shall perform exercise designed for various scenarios and business conditions to achieve an effective operation of exercise and test procedures.
  1. An organization shall design exercise scenarios based on the identified risk scenarios that may cause interruption to core business (including natural disasters, man-made disasters and information and communication security incidents).
  2. An organization shall perform operations based on scenarios of disasters or accidents, considering to incorporate operating staff needed for the core system, personnel for performance of core business and suppliers required for recovery. It shall have a plan for system quantity, size and levels (dedicated server, virtual hosting, middleware, etc.) needed for the exercise.
  3. Prior to exercise, an organization shall identify possible risks (e.g. errors or losses of formal data that may be caused during the exercise, decreased information protection level that may be caused by the exercise, damage to client rights that may be caused by the exercise), and prepare protection measures in advance.
  4. Exercise shall cover verification of standard operational procedures created for various core systems (including but not limited to monitoring, tiered exercises, reporting, response and recovery).
  5. An organization shall perform regular exercise and verify feasibility of its core system every year, and make plans for on-site and remote system backup exercise, on-site and remote system reconstruction exercise (for system without backup), or on-site and remote data backup restorage tests based on needs to ensure the staff's familiarity and effectiveness of the procedures, with the records of these exercises to be retained.
  6. During remote system backup exercise, Category 1 organizations shall incorporate verification of actual business operation to validate internal resource arrangement and labor force deployment, coordination of external partners and adjustment and interfacing of information network on which minimum acceptable service level relies can effectively operate at all key moments. Category 2 organizations are encouraged to take the same action.
  7. An organization shall convene a review meeting after the exercise to confirm whether the recovery mechanism and results of exercise have met the recovery time objective (RTO) and recovery point objective (RPO) requirements established by the organization, and examine the core system to see if the existing on-site and remote system backup mechanism and on-site and remote data backup system meet the needs of core business.
Article 13
  1. An organization shall ensure the original responsible person of the core system and their agent are capable, competent and are provided with sufficient trainings. Aspects and contents of trainings can include but not limited to recognition trainings, business continuity, most current relevant trends, backup technology trainings, succession of experiences from the exercise, relevant recent internal and external business continuity cases, changes to information and communication system structures, etc.
  2. An organization shall fully record the results of staff training and regularly examine the staff's recognition level, capabilities and appropriateness of training contents.
Article 14
  1. When the core system is outsourced, an organization shall ensure, based on the scope and characteristics of outsourced services, the recovery level, recovery time objective (RTO) and recovery point objective (RPO) of the core system can support the core business for recovery to the minimum acceptable service level after occurrence of a disaster. The organization shall perform regular exercise every year to validate feasibility of its core system.
  2. An organization shall include the above requirements on business continuity management in the outsource contract.
Chapter Four - References
Article 15
  1. Executive Yuan (June 2018), Cyber Security Management Act, National Law Databank (moj.gov.tw)
  2. International Organization for Standardization (ISO) (October 2019), ISO 22301:2019 Security and resilience-Business continuity management systems-Requirements ISO-ISO 22301:2019-Security and resilience-Business continuity management systems-Requirements
  3. The Bankers Association of the Republic of China (July 2021), Financial Institution Information and Communication Security Protection Standards (letter of the Financial Supervisory Commission)
  4. The Life Insurance Association of the Republic of China (October 2021), Draft Insurance Industry Information Operation Resilience Reference Regulation (letter of the Financial Supervisory Commission)
  5. Federal Financial Institutions Examination Council (FFIEC), FFIEC Information Technology Examination Handbook Business Continuity Management, FFIEC Press Release (November 2019)
  6. National Center for Cyber Security Technology (NCCST) (July 2014), Server Room Remote Backup Mechanism Reference Guide, Taiwan's Server Room Remote Backup Mechanism Reference Guide (NCCST - Operation Regulations) (ey.gov.tw)
Top