Measures for the Management of Information Security and

advertisement
Measures for the Management of Information Security and Assurance in the Securities and
Futures Industries
Chapter I General Provisions
Article 1 These Measures are formulated in accordance with Securities Law, Law on
Securities Investment Fund, Regulation on the Administration of Futures Trading and the laws and
administrative regulations concerning information security and assurance for the purpose of
safeguarding the safe operation of securities and futures information system, strengthening the
administration of information security in the securities and futures industries, promoting the stable
and healthy development of the securities and futures markets and protecting the legitimate rights
and interests of investors.
Article 2 These Measures shall apply to the information security, assurance, management and
supervision work in the securities and futures industries.
Article 3 The information security and assurance work in the securities and futures industries
shall follow the principle of “whoever operates takes responsibility and whoever uses takes
responsibility” with security prioritized and development safeguarded.
Article 4 The entities responsible for the information security and assurance in the securities
and futures industries shall implement the national laws and administrative regulations concerning
information security and the industry-related technical administration rules, technical rules,
technical guidelines and technical standards, conduct information security work, protect the
security of the transactions of investors and the security of their data, and bear responsibilities for
the safe operation of information system of their own.
The term “entities responsible” as mentioned in the preceding Article includes the institutions
undertaking the public functions of the securities and futures markets, the institutions undertaking
the operations of the IT public infrastructure in the securities and futures industries and other core
institutions and their affiliates (hereinafter referred to as the “core institutions”) in the securities
and futures markets, as well as securities companies, futures companies, fund management
companies, securities and futures services institutions and other securities and futures operating
institutions (hereinafter referred to as the “operating institutions”).
Article 5 The institutions which carry out third-party depository business for securities
companies clients’ settlement funds, the transfer and settlement business between banks and
securities companies, between banks and futures companies and between banks and fund
companies, and fund custody and sales business, shall safeguard the safe operation of relevant
business systems in accordance with relevant regulations.
Article 6 The suppliers who supply hardware and software products or technical services for
the securities and futures industries (hereinafter referred to as the “suppliers”) shall ensure that the
hardware and software products or technical services they provide are in line with national
technical administration rules, technical rules, technical guidelines and technical standards
concerning the information security in the securities and futures industries.
Article 7 The China Securities Regulatory Commission (CSRC) shall support and assist
national information security management departments to organize the implementation of
information security-related laws and administrative regulations and implement the supervision
and administration of the information security and assurance in the securities and futures
industries in accordance with law.
The local CSRC offices shall perform their regulatory functions in accordance with authorization.
Article 8 The CSRC and local CSRC offices shall establish an information security
coordination mechanism with national information security management departments and relevant
industry management departments, and establish an information security cooperation mechanism
with relevant national professional security institutions and the organizations for standardization.
Article 9 The industry associations of securities, futures, securities investment funds
(hereinafter referred to as the “securities and futures industry associations”) shall, in accordance
with the provisions of these Measures, conduct the self-regulation management on the information
security work of their members.
Article 10 The core institutions shall, in accordance with the provisions of these Measures,
supervise and guide the work of relevant market entities on their security and assurance of
associated information systems.
Chapter II Basic Requirements
Article 11 The core institutions and the operating institutions shall have qualified
infrastructure. The construction of infrastructure including equipment room, electricity, air
conditioning, fire fighting and telecommunications shall be in line with the relevant provisions of
the information security management in the industries.
Article 12 The core institutions and the operating institutions shall establish reasonable
network structure and divide security zones. Effective insulation shall be made among the security
zones with the ability to prevent, monitor and block any damage from internal and external
network attacks.
Article 13 The core institutions and the operating institutions shall establish information
systems which meet business requirements. The information systems shall have a reasonable
framework, adequate performance, capacity, reliability, expansibility and security to support the
operation and development of businesses.
Article 14 The core institutions shall have the ability to develop independently such
important information systems as transactions, prices, account opening, settlement, risk control,
communications, have executive programs and source codes and store them safely and reliably,
and conduct a rigorous review and testing on executive programs and source codes before any
important information system is to be put into operation.
Article 15 The core institutions and the operating institutions shall have the ability to protect
against Trojan horses, viruses and other malicious codes so as to prevent malicious codes from
causing damage to information systems and to prevent information from being exposed or
tampered with.
Article 16 The core institutions and the operating institutions shall establish a sound IT
governance structure to specify the mechanism of power and responsibility of IT decision-making,
management, implementation and internal supervision.
Article 17 The core institutions and the operating institutions shall establish a sound IT
management system and operating rules and strictly implement them.
Article 18 The core institutions shall develop technical rules on the safe interconnection of
information systems between the core institutions and relevant market entities and report to the
CSRC for filing.
The core institutions shall urge relevant market entities to implement technical rules in accordance
with law.
Article 19 The core institutions shall provide a variety of mutual backup remote access
methods to ensure that relevant market entities can access safely, and conduct monitoring and
management on the remote access of relevant market entities.
Chapter III Requirements for Sustained Assurance
Article 20 The core institutions and the operating institutions shall guarantee adequate and
stable funding for IT investment and equip with sufficient IT staff.
Article 21 The core institutions and the operating institutions shall, in accordance with
industry planning and the development strategy of their own, develop informatization and
information security development planning to meet the needs of business development and
information security management.
Article 22 When the core institutions and the operating institutions newly build, upgrade,
change, or regenerate information systems or conduct other construction projects, they shall
conduct sufficient verification and testing.
Article 23 When such important information systems are put into operation or undergone
major change of upgrading as transactions, prices, account opening, settlement, communications
of the core institutions, relevant market entities shall be organized to conduct networking tests and
a report shall be made as stipulated.
Article 24 The core institutions and the operating institutions shall regulate the operation and
maintenance of the IT infrastructure and important information systems so as to guarantee the safe
and stable operation of the systems.
Article 25 The core institutions shall guide relevant market entities to operate and maintain
properly the systems and communication facilities which are interconnected with these
institutions.
Article 26 The core institutions and the operating institutions shall establish data backup
facilities and save backup data in the same city and offsite as stipulated.
Article 27 The core institutions and the operating institutions shall establish failure backup
facilities and disaster backup facilities of important information systems to guarantee the
continuation of business activities.
Article 28 The core institutions and the operating institutions shall, as stipulated, submit data
to the securities and futures industry data center designated by the CSRC. The submitted data must
be truthful, complete, accurate and timely.
The securities and futures industry data center shall, in accordance with the relevant provisions of
the CSRC, conduct the collective saving of industry data to make sure that the data is safe,
complete and reliable.
Article 29 The core institutions shall be responsible for constructing and operating the
industry IT public infrastructure.
Article 30 The core institutions and the operating institutions shall strengthen the
management of information security and confidentiality to protect the security of investors’
information.
Article 31 The core institutions and the operating institutions shall establish network and
information security risk detection, monitoring, assessment and early warning mechanisms, timely
dispose of any potential risk which is found and make a report thereof as stipulated.
Article 32 The core institutions and the operating institutions shall establish information
security emergency response mechanisms, timely dispose of information security emergencies and
restore the normal operation of information systems as soon as possible, and make a report thereof
as stipulated without any delay, omission or concealment.
The core institutions and the operating institutions shall conduct an internal investigation on
information security incidents, investigate accountability and take corrective measures, and
cooperate with the CSRC and the its local offices in investigating and disposing of the incidents.
The suppliers who supply hardware and software products or technical services which are related
to the information security incidents occurred to the core institutions and the operating institutions
shall cooperate with the investigation.
Article 33 The core institutions shall organize relevant market entities to do the information
security emergency drill once a year, and make a report thereof to the CSRC prior to the
implementation.
Article 34 The core institutions and the operating institutions shall train IT staff to ensure that
they have the ability to fulfill their duties.
Article 35 The core institutions and the operating institutions shall establish an information
security internal audit system, regularly carry out internal audit and rectify any problem found.
Chapter IV Requirements for Procurement of Products and Services
Article 36 The core institutions and the operating institutions shall establish a supplier
management system to find out and assess the qualification, professional experience, and product
and service quality of the suppliers on a regular basis.
Article 37 When the core institutions and the operating institutions procure hardware and
software products or technical services, they shall enter into contracts and confidentiality
agreements with the suppliers and shall expressly specify the rights and obligations on information
security and confidentiality in the contracts and confidentiality agreements.
When the procurement contracts involve such software products or technical services as securities
and futures transactions, prices, account opening and settlement, it shall be specified that the
suppliers must accept the extended investigation on information security conducted by the CSRC
and the its local offices.
Article 38 The hardware and software products or technical services which the core
institutions and the operating institutions have procured shall meet the requirements of the prudent
operation and risk management. If the hardware and software products or technical services fail to
meet the requirements and affect the sustained operation of the core institutions and the operating
institutions, the CSRC is entitled to request the core institutions and the operating institutions to
improve or replace the same.
Chapter V Industry Self-regulation
Article 39 The securities and futures industry association shall formulate IT guidelines to
urge and guide its members to implement national and industry regulations and technical
standards on information security.
Article 40 The securities and futures industry association shall guide the industries to
strengthen the construction of IT talent team, regularly organize IT training and exchange and
improve the executive quality of IT staff.
Article 41 The securities and futures industry association shall guide and encourage the IT
research and innovation of the industries, enhance self-control ability, organize science and
technology awards and promote scientific and technological progress of the industries.
Article 42 The securities and futures industry association shall guide the suppliers to
participate in the work of informatization and information security in the industries in compliance
with regulations, promote fair competition in the market, and promote the common development
of the suppliers and relevant market entities.
Chapter VI Supervision and Management
Article 43 The CSRC shall establish an information security supervision and management
system with unified organization and graded responsibility bearing.
The information security management department of the CSRC shall be responsible for the
organization, coordination and guidance of information security work in the securities and futures
industries; relevant business regulatory departments shall conduct supervision and inspection on
the information security of the core institutions and the operating institutions in accordance with
the scope of duties; and the local CSRC offices shall conduct supervision and inspection on the
information security of the operating institutions within their jurisdictions in accordance with their
authorization.
Article 44 The CSRC shall organize the formulation of administrative regulations and
technical standards on information security in the securities and futures industries in accordance
with law.
Article 45 The CSRC and its local offices shall, in accordance with the scope of duties,
conduct investigation on the information security of the core institutions and the operating
institutions or entrust relevant professional security institutions of the state or the industries to
conduct security inspections. The core institutions and the operating institutions shall cooperate in
the inspection.
If the information security management of the core institutions and the operating institution fail to
meet the specified requirements, the CSRC and its local offices shall order them to make
rectifications within a time limit, and part or whole of their securities and futures business
operation activities may be suspended or restricted prior to rectification.
Article 46 The CSRC and its local offices may request the core institutions and the operating
institutions to provide materials on information security.
The core institutions and the operating institutions shall provide relevant materials timely,
accurately and completely.
Article 47 The CSRC shall organize the formulation of an information security emergency
preplan in the securities and futures industries, and urge and guide the industries to conduct
information security emergency work.
Article 48 The CSRC is entitled to investigate and dispose of the information security
incidents of the core institutions and the operating institutions.
For the information security incidents which damage the legitimate rights and interests of
investors or affect the safe and stable operation of the securities and futures markets, the CSRC
shall take supervision and management measures against or impose administrative penalties on
relevant entities.
Article 49 The CSRC shall circulate a notice on system vulnerabilities, potential safety risks
and product defects in the whole industries.
Article 50 If the core institutions and the operating institutions are in violation of the
provisions of these Measures, the CSRC may, depending on the circumstances, take measures
against them such as ordering correction, holding regulatory interviews, issuing letters of
admonishment, public reprimand, ordering regular reporting, ordering a disciplinary action against
the relevant persons, cancelling office qualifications and suspending or restricting the activities of
the securities and futures business operation; if circumstances are serious, they shall be subject to
warning or fining.
Chapter VII Supplementary Provisions
Article 51 These Measures shall come into force as of November 1, 2012. The Temporary
Measures for the Management of Information Security and Assurance in the Securities and
Futures Industries (No. 5 [2005] of the China Securities Regulatory Commission) shall be
repealed simultaneously.
Download