S
M
L

Search Result

Title Operating Procedures for the Assessment of Information and Communication Security of Information and Communication Systems by Securities Firms CH
Date 2025.07.03 ( Announced )

Article Content

1     Foreword
    To ensure that the information and communication systems provided by a securities firm possess consistent fundamental system security protection capabilities, these Operating Procedures are established to identify information security threats and vulnerabilities through various information and communication security assessment operations. The aim is to implement both technical and managerial control measures to improve and enhance the security protection capabilities of networks and information and communication systems.
2     Scope of Evaluation
  1. Securities firms shall, in accordance with the "Establishing Information Security Inspection Mechanisms for Securities Firms-Schedule for Required Measures under Tiered Protection," develop an assessment plan for their overall information and communication systems (including self-developed and outsourced systems) on the basis of these Operating Procedures. To ensure business continuity and protect client rights and interests, securities firm shall classify information assets according to their importance and impact level, conduct information and communication security assessments regularly and by classification, present an "information and communication system information and communication security assessment report," implement corrective and preventive measures, and perform regular follow-up reviews. A foreign securities firm may follow its own information security checkup operating rules if they are better; otherwise, they shall comply with domestic regulations. Securities firms operating on a concurrent basis shall follow the rules applicable to their primary line of business; in the absence of such rules, these regulations shall apply.
  2. The assessment plan and results shall be submitted to the board of directors or approved by a managerial department authorized by the board, provided in the event of a Taiwan branch of a foreign securities firm, such may be carried out by the responsible person of the branch. The assessment plan shall be reviewed at least once every three years.
3     Classification and Assessment Cycle of Information and Communication Systems
  1. Information and communication systems are classified into three categories based on their importance:
  2. Testing may be conducted by sampling where the equipment comprise a multitude of systems and the economic rights of such equipment are owned by the company. The sampling rate shall be at least 10% of all the equipment in the system or a minimum of 100 units each time.
  3. Where a material information and communication security incident occurs in a single system and is confirmed to constitute a personal data breach or a hacker attack, an information and communication security assessment must be re-conducted and completed within three months
Point 3
4     Information and Communication Security Assessment
  1. Information architecture review
    1. Review the network architecture configuration, appropriateness of the information equipment security management rules etc., to assess potential risks and take necessary countermeasures.
    2. Review the maximum impact of single points of failure and risk-bearing capacity.
    3. Review the adequacy of measures taken in connection with business continuity.
    4. Timely refer to information security threat intelligence and protection recommendations published by the Financial Information Sharing and Analysis Center (F-ISAC) and implement relevant measures.
    5. Review whether servers are segmented by network segments according to the classification of information and communication systems, system functions, or service characteristics.
    6. Review whether boundary protection equipment (including gateways, routers, firewalls, protective devices etc.) and external network connection points have firewalls to control data transmission and resource access between the intranet and the internet, and restrict unnecessary connected parties and connection services.
  2. Network activity review
    1. Review access logs and account authorizations for network equipment, servers, and IoT equipment to identify anomalies and verify alert mechanisms.
    2. Review monitoring logs of information security equipment (such as firewalls, intrusion detection or prevention systems, anti-malware, data leakage prevention, spam filtering, phishing detection, web protection etc.) to identify anomalies and verify alert mechanisms.
    3. Examine the network for abnormal connections or unusual Domain Name System Server (DNS Server) queries, or monitor incoming and outgoing traffic, and cross-check against known malicious IPs, proxy servers, or patterns consistent with malicious network behavior.
    4. Review whether measures are established for detecting and handling counterfeit websites.
  3. Inspection of network equipment, servers, endpoint and communication, and IoT equipment etc.
    1. Conduct vulnerability scanning and remediation operations for network equipment, servers, endpoint equipment, and IoT equipment etc.
    2. Inspect terminals and servers for the presence of malware.
    3. Inspect the complexity of system account login passwords; review the storage protection mechanisms and access controls for external connection passwords (such as File Transfer Protocol (FTP) connections, database connections etc.).
    4. When performing IoT equipment inspections, follow the Establishing Information Security Inspection Mechanisms for Securities Firms
  4. The following shall be carried out in regard to network equipment, servers, and IoT equipment etc. that are accessible directly from the internet:
    1. Conduct penetration testing.
    2. Perform source code scanning or black-box testing of server application systems.
    3. Review access authorizations for server directories and web pages.
    4. Verify whether anti-tampering mechanisms for external websites and web pages are established.
    5. Inspect the systems for abnormal authorized connections, unusual CPU resource consumption, and anomalous database access activities etc.
  5. Client-side application testing
    6. Securities firms and client-side applications shall use encrypted connections. The following tests shall be conducted on applications delivered by securities firms to clients:
    1. Vulnerability scanning where HTTPS or SFTP is provided.
    2. Source code scanning or penetration testing.
    3. Sensitive data protection testing (such as memory, storage media).
    4. Key protection testing.
    5. Implementation of the principle of least privilege, allowing users only the authorized access and control necessary to perform their assigned tasks and business functions.
  6. Security configuration review
    1. Review server settings (such as Active Directory) related to password principles and account lockout principles.
    2. Examine whether the firewall has security-risk ports or unnecessary ports open, and whether connection settings have security vulnerabilities.
    3. Review system access restrictions (such as Access Control Lists) and privileged account management.
    4. Examine update settings and status of operating systems, antivirus software, office software, and application software etc.
    5. Review security measures for key storage protection mechanisms and access controls etc.
    6. Verify that user identity is authenticated in the event of connection from the internet to the company's intranet.
  7. Measures against breaches of the reliability and security of information and communication systems:
    1. The company shall develop relevant countermeasures to enhance the reliability of its information and communication systems. These measures shall include:
      1. Enhancing hardware reliability: Including countermeasures to prevent hardware failures and the setup of backup hardware equipment.
      2. Enhancing software system reliability: Including measures to improve software development quality and software maintenance quality.
      3. Measures to improve operational reliability.
      4. Early detection and early recovery measures against failures.
      5. Disaster response measures.
      6. A verification plan must be established for system backup media for backups, and the reliability of the backup media and the integrity of information must be validated.
    2. The company shall develop relevant countermeasures against information and communication security breaches. These measures shall include:
      1. Data protection: Including measures to prevent leakage, or destruction or tampering, along with corresponding testing measures.
      2. Prevention of illegal use: Including access authorization verification, restriction of application scope, prevention of illegal forgery, limitation of internet access, and detection and response measures.
      3. Prevention of illegal applications: Including defense, detection, and recovery measures.
    3. Review whether the information and communication systems comply with the requirements of the Establishing Information Security Inspection Mechanisms for Securities Firms and related directives of competent authorities.
    4. Review whether the SWIFT system of the information and communication systems complies with the Customer Security Programme (CSP) published by SWIFT and requirements of related directives of the Taiwan Stock Exchange and the Taiwan Securities Association. In the event of a conflict with the information and communication security assessment procedure hereunder, the SWIFT CSP shall take precedence.
    Category I, Category II, and Category III information and communication systems shall all be incorporated into the information security assessment procedure based on the assessment items mentioned in the preceding paragraph, to ensure the effectiveness of the assessment.
5     Information about security measures to enhance system availability
    Securities entities that offer online trading ordering services or maintain an official website shall implement information security measures to enhance system availability [such as deploying Distributed Denial of Service (DDoS) mitigation solutions, network traffic monitoring and redundancy, and establishing DDoS defense and response procedures etc.], and shall conduct regular DDoS drills annually.
6     Social Engineering Drills
    A drill email shall be sent at least once per year within the scope of security monitoring to personnel who use information and communication systems, to enhance information and communication security awareness in order to prevent malware intrusions carried out through social engineering tactics.
7     Qualifications and obligations of the assessment unit
  1. An external professional institution may be entrusted or an internal company unit may act as the assessment unit. In the event of an external professional institution, it shall be no conflicts of interest with the object of information security assessment. In the event of an internal unit, it shall be independent from the original computer system development and maintenance units etc.
  2. The assessment unit conducting information and communication security assessments of Category I information and communication systems shall meet the qualification requirements set forth in all of the following subparagraphs. The one conducting information and communication security assessments of Category II and III information and communication security systems shall meet any of the relevant qualification requirements based on the assessment item requirements:
    1. Possess knowledge of information and communication security management, such as holding a Certified Information Security Manager (CISM) certification or passing the Information Security Management System Lead Auditor (ISO 27001 LA) examination etc.
    2. Possess technical capabilities for information and communication security, such as holding a Certified Information Systems Security Professional (CISSP) certification etc.
    3. Possess capabilities to simulate hacker attacks, such as holding a Certified Ethical Hacking (CEH) certification or Certified Incident Handler (CIH) certification etc.
    4. Be familiar with financial industry carrier applications, system development, or audit experience.
  3. The assessment unit shall sign a confidentiality agreement and provide appropriate protective measures to prevent data leakage for all data pertaining to the case, including inspection documents, test logs, configuration parameters, source codes, and captured packet data etc.
  4. No assessment unit and personnel may conceal deficiencies, make misrepresentations, divulge or misuse data etc.
8     Assessment Report
  1. The information and communication system information and communication security assessment report shall include at least the qualifications of the assessment personnel, scope of the assessment, assessment items and objects, assessment records, deficiencies identified during the assessment, severity of deficiencies, categories of deficiencies, risk explanations, specific recommendations on rectification, and results of social engineering drills.
  2. The company shall classify risk levels based on the level of deficiencies in the assessment report, and formulate corresponding control measures and rectification deadlines for each risk and submit the same to the audit unit for follow-up and review of the rectification of deficiencies.
  3. The review of deficiencies identified in the assessment report shall be submitted to the board of directors or a managerial department authorized by the board, provided in the event of a Taiwan branch of a foreign securities firm, such may be carried out by the responsible person of the branch, ensuring the rectification of deficiencies is supervised by senior management.
  4. The assessment report shall be retained together with documents relating to the rectification of deficiencies etc. for at least five years.
Top