China Law Online Database : novexcn.com

You are using Guest Account

Subscribe To This Law Only

Subscribe To All Law Contents

Print This Page

Back




	TEMPORARY MEASURES ON THE MANAGEMENT OF INFORMATION SECURITY ASSURANCE IN THE SECURITIES AND FUTURES INDUSTRIES

	(For the purposes of standardizing the construction and the assurance of security of the network and information system in the industry, the China Securities Regulatory Commission has formulated the "Temporary Measures for the Management of Information Security and Assurance in the Securities and Futures Industries".)


SUBJECT : SECURITIES AND FUTURES INDUSTRIES; INFORMATION SECURITY AND ASSURANCE
ISSUING DEPARTMENT : CHINA SECURITIES REGULATORY COMMISSION
ISSUE DATE : 04/08/2005
IMPLEMENT DATE : 04/08/2005
LENGTH : 1,499 words
TEXT :

TABLE OF CONTENTS

CHAPTER I GENERAL PRINCIPLES
CHAPTER II THE ALLOCATION OF SECURITY FUNCTIONS
CHAPTER III SAFETY GOAL AND BASIC PRINCIPLES
CHAPTER IV REQUIREMENTS FOR THE ASSURANCE OF SAFETY
CHAPTER V SUPPLEMENTARY REGULATIONS

CHAPTER I GENERAL PRINCIPLES

Article 1. For the purposes of strengthening the organization and coordination of the assurance for the securities and futures industry information security, setting up and perfecting the information security management system and execution system, improving the quality of the industrial information security assurance, conscientiously protecting the legal interests of investors, the present "Measures" are formulated according to relevant state laws and regulations.

Article 2. The present "Measures" shall be applicable to the supervision and management organization of the securities and futures market, the industrial self-disciplinary organizations and operation organizations. The supervision and management organization shall be the China Securities Regulatory Commission (hereafter referred to as "CSRC"); the industry self-disciplinary organizations include the stock exchanges, futures exchanges, and their telecommunications companies, the Securities Depository and Clearing Corporation, the Securities Association of China, China Futures Association; the operation organizations refer to the securities and futures exchange, fund management companies, and securities and futures investment and consulting companies.

CHAPTER II THE ALLOCATION OF SECURITY FUNCTIONS

Article 3. The CSRC is responsible for the supervision, management, organization and coordination of the information security assurance in the securities and futures industries.

Article 4. All stock exchanges, futures exchanges and their telecommunications companies, securities depository and clearing corporations, securities exchanges, futures exchanges, fund management companies, securities and futures investment consulting companies shall be the undertaker of responsibility (hereafter referred to as "Undertaker") for the operation and management of its information system security.

Article 5. A stock exchange shall be responsible for the safe operation of stock trading, publication of information and the market supervision and management information system. The securities telecommunications companies are commissioned by stock exchanges, securities depository and clearing corporations, and operation organizations to be responsible for the safe operation of the telecommunications system, and guarantee the timely and safe transmission of business data such as transactions and settlement data. The futures exchanges shall take charge of the safe operation of futures trading and settlement, the publication of information, and the information system and the telecommunications system for market supervision and management.

Article 6. The securities depository and clearing corporations shall be responsible for the safe operation of the securities depository and settlement business information system.

Article 7. The Securities Association of China is responsible for the organization and coordination of the assurance of the information security of its members such as the stock exchanges, fund management companies, and securities investment consulting companies.

China Futures Association is responsible for the organization and coordination of the assurance of the information security of its members such as the futures exchanges and futures investment consulting companies.

Article 8. A securities and futures company, fund management company, or securities and futures investment consulting company shall be responsible for the safe operation of the information system in its headquarters and its subordinate operation organizations.

CHAPTER III SAFETY GOAL AND BASIC PRINCIPLES

Article 9. The overall target of the assurance of information security are to secure the completeness, privacy, availability, timeliness, checkability and controllability of the information and information system, effectively protect the legal rights of all parties participating in the market, and to promote the continuous, stable, and healthy development of the securities and futures market.

Article 10. The particular goals for the assurance of information security include:

(1) Protecting the physical environment, equipments and facilities, and the operating environment of the securities and futures information system;

(2) Ensuring the legality of the information content, protecting the privacy, completeness, availability, timeliness, checkability and controllability of information in the process of collecting, transmitting, using, storing information so as to protect the security of information.

(3) Improving the consciousness of information security, professionalism in security, the level of security management, and service for professionals in the securities and futures industry;

(4) Raising the availability and disaster recovery capability of the information system, and provide assurance for the continuous operation of business;

Article 11. The assurance of information security should comply with the following principles:

(1) The principle of responsibility: the responsibility for the management of security should be born by "the person who takes charge" and "the person who operates the system". Emphasis should be laid on legal means when partitioning responsibilities of other parties. Agreements and negotiation should be utilized to differentiate responsibilities among different parties so as to transfer risks in a transparent way and restrain other parties by means of the undertakers of responsibilities;

(2) The principle of standardization: the national and international information security standards and industrial standards should be complied to in implementing a graded protection of the information system;

(3) The principle of overall planning: the assurance of information security should be implemented through all the processing of information, both overall planning and highlighted emphases should be insisted, laying equal emphasis on both safety and development, on management and technology, and on emergency protection and long-term system;

(4) The principle of pragmaticism: under the conditions of assuring the function and safety of the information system, resources should be fully utilized, laying emphasis on efficiency, avoiding repetitive and random investment, while adopting the advanced technology, professional and safe service that are allowed by state law and regulations. Scientific operation and management approaches should be adopted to reduce costs and guarantee the safe operation of the information system.

CHAPTER IV REQUIREMENTS FOR THE ASSURANCE OF SAFETY

Article 12. The undertaker of responsibility should set up a comprehensive information security system, taking a safety organization system as its core, a safety management system as its guarantee, and a safety technology system as its support. These three systems should be developed smoothly and be kept in balance.

Article 13. The undertaker of responsibility should set up a clearly defined organization system of information safety:

(1) Set up a three-tier working relationship including the strategy tier, the management tier, and the execution tier; clearly define the leader to take charge of the information security, set up a management department for information security, and designate an execution position for information security;

(2) Set up full time safety administrator and safety auditor positions, who shall be responsible for the implementation and auditing of information security respectively;

(3) Perform various forms of security training to reinforce the construction of information security professional team, raise the technical level of information security professionals, and security awareness of employees.

Article 14. The undertaker of responsibility should set up a comprehensive information security administration system:

(1) Setting up uniform information security strategies and a comprehensive and operable information security administration system, guiding and standardizing the security planning and construction of the information system, and guaranteeing the proper understanding of the strategies and systems, as well as their effective compliance and execution;

(2) Reinforcing the security management of the information system assets, assuring the security of information system facilities, software, data, and technological files, implementing the responsibility system in the management of information system assets, implementing a graded management and privacy management, and putting emphasis on guaranteeing the security of core information system assets;

(3) Reinforcing the protection of the physical information system facilities, strictly implementing the security management of computer laboratories, the environmental security management and the measures for physical control;

(4) Setting up a security management process on all the stages of the information system including the network, system and application, implementing the security management in all the stages of the information system, including the planning, construction, operation and maintenance, independently managing its development and operation, and strictly implementing the daily real-time management and periodical management;

(5) Implementing a safety risk management in the information system, performing periodic appraisals on information assets, threats, and weaknesses, finding out hidden safety problems in a timely manner, performing preventative protection, and selecting suitable and effective safety measures.

Article 15. The undertaker of responsibility should set up an effective information security technological system:

(1) Setting up a comprehensive security warning system, and finding out hidden security problems in a timely manner;

(2) Reinforcing the current security defense system, and realizing an emphasized protection for the core business system;

(3) Setting up an effective safety warning system to monitor the core business system, and providing policy basis for further perfecting the information security system;

(4) Setting up a comprehensive emergency reaction system, formulating a standard and comprehensive emergency management and reaction process, periodically performing drills and tests of emergency recovery, and perfecting the information security announcement system;

(5) Setting up a suitable emergency recovery system according to the different security protection grades, periodically performing drills and tests of emergency recovery, and assuring the effective backup function after the occurrence of disaster to reduce the damage and influence of disasters.

CHAPTER V SUPPLEMENTARY REGULATIONS

Article 16. The CSRC organizes security examinations on the assurance of the information system security in the securities and futures industries. The examinations may be made by way of self-checks and entrusted checks.

Article 17. The power to interpret the present "Measures" shall remain with the CSRC.

Article 18. The present "Measures" shall be implemented as of the date of printing and publication.