Search Result

Article Content

 
1     Risk assessment and management (applicable to futures commission merchants that submit orders via the Internet):
  1. All of the company's information assets within the scope applicable to information security risk, and owners of the assets, shall be identified.
  2. The acceptable level of information security risk for each of the company's operations shall be determined.
  3. The company shall prepare written reports on information security risk evaluations. Evaluations shall be carried out at least once per year and relevant records retained.
2     Information security policy:
  1. The company shall adopt an information security policy and set information operations security levels in accordance with the needs of its business and applicable laws and regulations.
  2. The following content shall be included when the information security policy is formulated:
    1. A definition of information security, information security objectives, and the scope of information security.
    2. An explanation and description of information security policy, information security principles and standards, and rules with which employees must comply.
    3. A description of the organizational unit in charge of information security work, its authority and duties, and the internal segregation of duties.
    4. A description of emergency procedures for reporting and handling an information security incident and related rules.
  3. The information security policy adopted by the company shall be approved by its management and formally issued, with the requirement that all employees abide by the policy. Public and private entities that do business with the company online and providers of information services shall also be notified and jointly observe the policy.
  4. The company's information security policy shall be evaluated at least once per year to reflect the latest developments in laws, regulations, bylaws, technology, and business, thereby ensuring the effectiveness of the company's information security operations, and records of the evaluations shall be retained.
  5. Information security policy evaluations shall be conducted in an independent and objective manner, either in-house or outsourced to an outside professional institution.
3     Security organization
  1. The company shall designate a vice president or other high-level supervisor to be responsible for coordinating and implementing information security management, and as necessary may also establish an interdepartmental Information Security Task Force to exercise overall control over the coordination and study of policy, planning, and resource allocation for information security.
  2. As necessary for the purposes of information security management, the company shall assign responsibility for planning and implementing information security work to specially appointed persons or units, which shall be required to regularly participate in information security education and training and to pass evaluations.
  3. If the company lacks sufficient personnel, skills, or experience to meet its information security needs, it may retain outside scholars, experts, or professional private-sector organizations or groups to provide information security consulting services.
  4. The authorities and duties of the company's information processing departments shall be clearly segregated from those of its business units.
4     Categorization and control of assets
  1. Information assets shall be set out in a list, which shall be kept current.
  2. Rules shall be adopted to govern the classification and labeling of information (applicable to futures commission merchants that submit orders via the Internet).
5     Personnel security
  1. Employees shall be required to maintain confidentiality in accordance with applicable laws and regulations, and shall sign a non-disclosure agreement.
  2. When an employee leaves the company, the employee's ID code shall be canceled, and his or her security pass, door card, and related documents shall be collected.
  3. The company shall regularly (at least annually) give information security lectures for all employees (focusing on such topics as information security policy, information security laws and regulations, information security operating procedures, and the proper use of information technology equipment) and retain records of the lectures.
  4. Employees shall receive information security training that is appropriate for their position within the company; the number of hours of training received each year shall comply with the internal rules adopted by the company.
6     Physical and environmental security:
  1. Access to computer server rooms shall be controlled (e.g. by door cards).
  2. Computer server rooms shall have fire prevention equipment, which shall be inspected regularly, and natural disasters such as earthquakes and floods shall also be factors taken into consideration.
  3. Computer equipment shall have an independent power supply system, and the power supply system shall include uninterruptible power supply devices and a power generator.
  4. Procedures for retirement and disposal of equipment shall be established. Prior to retirement and disposal, any confidential or sensitive data and licensed software shall be removed, overwritten for security purposes, or physically destroyed, and it shall be ensured that data that was stored in computer hard drives and in storage media cannot be restored. Records of the retirement and disposal shall be preserved.
7     Management of Communications and Operations:
  1. Management of network security (Items A to F are applicable to futures commission merchants that submit orders via the Internet; items A, B and E are applicable to futures commission merchants that connect to public networks via the auction terminals ):
    1. Evaluating the security of network systems:
      1. A company shall regularly evaluate the security of its own network systems (e.g., its operating system, network servers, browsers, firewall, and its anti-virus software version) and retain related records.
      2. Security gaps in the network operating environment (including servers, portables, personal terminals, and computers provided at business locations for shared used by investors) shall be repaired regularly or as the need arises, and related documentation retained.
      3. Matters with a bearing on computer network security (e.g., promoting awareness of information security policy, prevention of hacker intrusions, and anti-virus measures) shall be internally announced.
      4. A specially appointed employee shall be responsible for computer servers and important software and hardware.
    2. Managing firewall security:
      1. A firewall shall be established.
      2. A specially appointed employee shall be responsible for managing the firewall.
      3. Records of firewall entries and exits and backup copies shall be retained for at least 3 years.
      4. Important website and server systems shall be isolated from the external Internet by firewalls.
      5. Firewall system configuration shall be approved by the proper supervisor.
    3. Managing network transmission security:
      Trading screens for order placing over the network shall be protected by encryption (e.g. SSL).
    4. Managing CA authentication and certificates:
      1. A futures commission merchant that handles trading orders online shall adopt certificate delivery procedures to prevent certificates from being obtained by persons other than their intended owners.
      2. A futures commission merchant that handles trading orders online shall use an authentication system for all orders.
    5. Protecting against computer viruses and malicious software:
      1. Anti-virus software shall be installed and its programs and virus definitions given timely updates.
      2. Computer systems and data storage media (including emails) shall be regularly scanned for viruses.
      3. Anti-virus protection shall cover personal terminals (including portables and computers provided at business locations for shared used by traders) and network servers.
      4. Email from unknown sources should absolutely not be opened, and special care shall be used in opening emails with attachments containing executable files.
      5. To prevent computer viruses from spreading and affecting computer security, the company shall adopt security rules governing the use of email.
    6. Inspecting the functions of online trading order submission systems:
      1. The functions provided by the online order submission system shall be inspected regularly and inspection records shall be kept.
      2. The online order submission system shall be monitored for any changes to the webpage or program, and any such changes shall be recorded and reported to the relevant personnel for handling.
  2. Management of the security of the computer system and operations:
    1. Managing computer equipment:
      1. The company shall enter into a written maintenance agreement with a services provider to establish what items are to be included in computer equipment maintenance work. A maintenance log shall be retained after completion of maintenance and the information systems unit shall appoint a person to inspect the log together with maintenance personnel from the services provider.
      2. When business operations require that personal information be collected, processed by computer, or transmitted and used internationally, the company shall adopt a policy on Segregation of Authority and Duties Between the Company and Software or Hardware Firms Regarding the Maintenance of Confidentiality and Liability for Damages.
    2. Computer system operating environment configuration and use authorization settings:
      1. Computer operating system environment configuration and use authorization settings shall be approved by the appropriate supervisor and implemented by system administrators.
      2. Computer system files shall be backed up completely before and after they are modified
    3. Security management for computer storage media:
      1. Backup copies of important software, related documentation, and inventory lists shall be made and stored in a separate safe location.
      2. If important backup files and software are stored in the same building that houses the computer center, they shall be kept locked in a fireproof room or in a cabinet that is both fireproof and earthquake-proof.
      3. The storage media used for backup materials shall be labeled with the name of the materials and their retention period.
      4. Handling procedures shall be established for media used to store confidential and sensitive information so as to prevent leaking or improper use of the information.
      5. A restoration test mechanism shall be established, to verify the integrity of backups and the adequacy of the storage environment.
    4. Management of computer operation:
      1. Computer operators shall strictly adhere to prescribed operating procedures.
      2. Complete and accurate records shall be provided in an operating log, which shall be inspected and approved daily by a supervisor. The operator and the supervisor may not be the same person.
      3. A specially appointed person shall be responsible for inspecting the information in the log of the computer system's master station and for regularly submitting the information to a supervisor for inspection and approval.
    5. The futures broker shall have a computer system that has adequate capacity and is capable of meeting the needs of its business.
    6. The futures broker shall adopt a mechanism and procedures for regular evaluations (at least once a year) of its computer system's capacity and security measures, to be carried out in-house or outsourced to an outside professional organization. Computer system capacity shall be stress-tested regularly and records of the testing retained.
8     Access control:
  1. The company shall adopt rules governing access control for the information system and notify the employees to abide by the rules in writing, electronically, or by other means.
  2. Authorization management:
    1. There shall be a detailed written description of controls on the access to and use of programs.
    2. When a person's employment status is changed, his or her use authorization shall be promptly updated.
    3. Access to and use of programs and files shall be granted on the basis of authorizations.
    4. Authorizations for computer access and use by outside contracted personnel shall be subject to appropriate control, and the authorizations shall be promptly canceled after the end of the contract period.
    5. Outside contracted personnel who enter the company's premises shall be subject to company security management, and security control measures shall be applied if they wish to use internal network resources (e.g., where contract personnel use a proxy server or establish a separate network, it is advisable that they be substantively isolated from the internal network).
    6. Regular (at least semiannual) examination and reconsideration shall be conducted of the user authorization of users who have not recently used the system (excluding users who are customers).
  3. Password management:
    1. Users making use of the system for the first time may not operate the system until they have changed their initial password.
    2. Passwords shall be saved in encrypted format.
    3. A user who forgets his or her password shall go through a rigorous identity check before he or she is allowed to use the system again.
    4. Initial passwords shall be generated randomly and have no connection with the user's identity.
    5. The login session shall be terminated when a password is input incorrectly three times in a row.
    6. Except where the input interface only allows for numerical input (e.g. telephone ordering systems), the company shall use strong passwords (at least six characters in length and including letters and numbers or other symbols) and encourage system users to change their passwords at least once every three months.
    7. The company's current website, servers, network neighborhood, routers, switches, operating system, databases, and other such software and hardware equipment shall be password-protected. The company shall avoid using default settings (e.g. "administrator," "root," "sa") or simple strings (e.g. "1234") as passwords and shall not fail to set administrator access privileges.
  4. Management of computer audit logs:
    1. Audit logs for important systems (such as server login systems and online order submission systems) shall log such matters as user ID numbers, login dates and times, computer identification information, and IP addresses.
    2. A specially appointed person shall be assigned to regularly inspect the computer audit logs of important systems.
    3. In keeping the relevant logs, it shall be ensured that procedures are in place for the collection, protection, and proper management of digital evidence, and the logs shall be kept for at least 3 years.
  5. Management of data input:
    1. The inputting or alteration of high-security or important data may be undertaken only with permission from the supervisor with proper authority.
    2. A log shall be kept of the data that is input or altered and the names and job titles of the persons who perform the inputting or alteration.
    3. Highly confidential important data (e.g. password files) shall be saved in encrypted format.
    4. If the company is a public company, it shall incorporate the Directions for Public Companies Reporting Public Information via the Internet into its internal control system and carry out information reporting in accordance with those Directions.
    5. When company personnel use an electronic certificate IC card, another type of certificate chip card, or other certificate carrier to represent the company in transmitting signatures (e.g. to the Market Observation Post System, the One-Stop Window for Securities Firm Filings, or the Office Document Exchange Center), a specially appointed person shall be responsible for maintaining custody of the certificate carriers and establishing a log book. Procedures governing the use and custody of related account numbers and passwords shall be adopted and implemented.
    6. When a certificate carrier is used to represent the company in transmitting signatures, if the server side is a futures commission merchant application system (e.g. Electronic Reconciliation Statement System), then a computer audit log shall be kept and the retention period for the logged data shall depend on the type of data generated by each individual signature operation.
    7. The personal information of customers and the company's internal personnel shall be properly handled in accordance with the Personal Information Protection Act.
    8. The company shall at regular or irregular intervals audit the management of information defined as personal information by the Personal Information Protection Act.
    9. Any updates, edits, or strike-outs of the aforementioned personal information shall be reported for recordation, and a complete and accurate log shall be maintained showing the content of the updates, edits, or strike-outs, the names of the persons making the changes, and the times at which the changes were made.
  6. Management of data output:
    1. Are reports and statements generated and delivered to the proper units in a timely manner?
    2. Are appropriate control procedures in place for printing out or browsing confidential or sensitive reports and statements?
    3. There shall be an encrypted transmission mechanism (e.g. SSL) for traders querying personal information on the company website.
9     Systems development and maintenance:
  1. The requirements of information security shall be included in the analyses and specifications when an application system is being planned and analyzed.
  2. Are checks performed to confirm the accuracy of data that is input into the system?
  3. Legal software shall be used.
  4. Contracts shall be entered into for outsourced work. The content of contracts entered into for outsourced work shall include an information security agreement and terms and conditions including the right to audit the information security of the outsourced firm.
  5. When a completed program requires maintenance, it must be carried out in accordance with formally approved procedures.
  6. All documents and handbooks shall be properly maintained and controlled.
  7. A specially appointed person shall be responsible for maintaining application systems.
  8. The company shall cooperate in carrying out any necessary full market test of an application system prior to the online offering of new futures or options products or in response to related operational changes in the trading or clearing systems.
  9. Management of changes to application systems:
    1. The files that contain programs, data, and job control commands for formal operations and for test operations shall be stored in separate locations.
    2. When a program is modified its documentation shall be promptly updated.
  10. The company shall regularly (at least semiannually) scan its information system for vulnerabilities, and where potential vulnerabilities are identified, it is advised to evaluate the associated risks or install software patches, and retain a record of its handling of the matter (applicable to futures commission merchants that submit orders via the Internet).
10     Management of business continuity:
  1. Failure recovery procedures (e.g. backup and recovery plans for computer equipment, telecommunications equipment, power systems, databases, and computer operating systems) shall be clearly formulated and provided in a printed manual.
  2. Failure recovery procedures shall be tested periodically; after testing, a review meeting shall be convened to consider ways to improve shortcomings and a record of the proceedings shall be retained.
  3. Futures brokers shall have backup measures in place for their trading servers.
  4. The company is advised to formulate a business continuity plan (covering such matters as activation conditions, participating personnel, emergency response procedures, backup procedures, maintenance schedules, education and training, descriptions of job duties, response plans of outside entities with which the company does business, and contract suitability) and the maintenance measures necessary for the plan, and to prescribe the key operations and related impact analyses.
  5. The company shall adopt an information security reporting mechanism (e.g. formal reporting procedures and contact persons for information security incident reports), and is advised to take appropriate corrective procedures for information securities incidents relating to its information system and to retain related records.
  6. If the company experiences any information security event such as theft, alteration, damage, loss, or disclosure of personal information, it shall immediately report by official letter to the Taiwan Futures Exchange, which shall forward the report to the competent authority.
  7. The company shall clearly formulate operational procedures for defending against and responding to distributed denial-of-service (DDoS) attacks.
11     Compliance:
  1. A company shall regularly (at least annually) carry out an information security audit (either in-house or outsourced to an outside professional organization) and keep an audit log.
  2. Does the company monitor corrective action taken in response to the aforementioned information security audits (including audit summaries, scope of audits, description of deficiencies, and recommendations for improvement)?
12     Other: Provision of information:
  1. All important laws, regulations, bylaws, and notices shall be promptly posted on a public bulletin board.
  2. A dedicated bidding terminal may not be installed in a reading room.
  3. Real-time futures and options trading data posted on the company's website shall be provided by a data company that has entered into a contract with the Taiwan Futures Exchange.
  4. Information provided to the public on the company's website shall be inspected regularly, and information that is confidential or sensitive shall be promptly removed.