Circular to All Licensed Corporations on Information Technology Management



Similar documents
AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

HIPAA Information Security Overview

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

HIPAA Security Alert

Internet Banking Internal Control Questionnaire

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Compliance Guide

An Introduction to HIPAA and how it relates to docstar

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

HIPAA Security COMPLIANCE Checklist For Employers

Information Technology General Controls And Best Practices

General IT Controls Audit Program

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

IBX Business Network Platform Information Security Controls Document Classification [Public]

HIPAA Security. assistance with implementation of the. security standards. This series aims to

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

SECTION 15 INFORMATION TECHNOLOGY

Estate Agents Authority

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA: In Plain English

General Computer Controls

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

Client Security Risk Assessment Questionnaire

HIPAA Security Checklist

Network and Security Controls

State HIPAA Security Policy State of Connecticut

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

FINAL May Guideline on Security Systems for Safeguarding Customer Information

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Healthcare Compliance Solutions

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

HIPAA Security Rule Compliance

HIPAA Compliance Guide

Policies and Compliance Guide

CHIS, Inc. Privacy General Guidelines

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

FairWarning Mapping to PCI DSS 3.0, Requirement 10

RL Solutions Hosting Service Level Agreement

VMware vcloud Air HIPAA Matrix

Datto Compliance 101 1

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Teleran PCI Customer Case Study

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

March

Information Technology Branch Access Control Technical Standard

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Data Processing Agreement for Oracle Cloud Services

ECSA EuroCloud Star Audit Data Privacy Audit Guide

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Regulations on Information Systems Security. I. General Provisions

HIPAA Security Series

Music Recording Studio Security Program Security Assessment Version 1.1

Internal Controls, Fraud Detection and ERP

PCI DSS Requirements - Security Controls and Processes

VA Office of Inspector General

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Department of Public Utilities Customer Information System (BANNER)

Cyber-Ark Software and the PCI Data Security Standard

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

How To Write A Health Care Security Rule For A University

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Compliance and Industry Regulations

MCOLES Information and Tracking Network. Security Policy. Version 2.0

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

HIPAA Privacy & Security White Paper

Transcription:

Circular 16 March 2010 Circular to All Licensed Corporations on Information Technology Management In the course of our supervision, it has recently come to our attention that certain deficiencies in information technology ( IT ) areas may expose licensed corporations and their clients to information security risks. Such deficiencies include: Use of certain facilities of the IT system (for example superuser account 1 and testing environment 2 ) without adequate safeguards and controls, which may facilitate unauthorized transactions and misappropriation of client assets which are difficult to detect; and Not implementing simple security measures such as password controls (for example, mandatory change of password for the first time login to the information system to prevent the use of common password initially assigned to all users), account management (for example, prompt removal of obsolete user accounts) and the activation of the audit log 3. Licensed corporations are hereby reminded that they are required to Have internal control procedures and financial and operational capabilities which can be reasonably expected to protect its operations, its clients and other licensed or registered persons from financial loss arising from theft, fraud, and other dishonest acts, professional misconduct or omissions 4 ; and Establish policies and procedures to ensure the integrity, security, availability, reliability and thoroughness of all information, including documentation and electronically stored data, relevant to the firm s business operations. The firm s operating and information management systems should meet the firm s needs and operate in a secure and adequately controlled environment 5. 1 2 3 4 5 Superuser account granted with privileged access rights can be used to perform a wide range of activities. Any dishonest or improper use of the superuser account may result in (i) improper amendment of clients particulars and transaction data (ii) disabling or removing the audit log and (iii) misappropriation of clients assets, e.g. through the posting of fraudulent transactions in dummy/nominee accounts. Testing environment is usually set-up to simulate the production environment for testing of system changes. Misuse of testing environment could lead to manipulation of testing data for the production of falsified clients information or even statements of account. Audit log records details such as user access and user activities performed in the information system. If the functionality of audit log is not properly managed, this may result in a lack of audit trail of unauthorized access or unusual activities. Paragraph 4.3 of the Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission Part IV Information Management, Management, Supervision and Internal Control Guidelines for Persons Licensed by or Registered with the Securities and Futures Commission 1 of 5

In this connection, management of licensed corporations should regularly review their existing information systems, policies and practices and consider enhancement where needed, so as to guard against unauthorized alteration of, or intrusion into, the information systems or the data. Given the significant differences that exist in the organizational structures as well as the nature and scope of the business activities conducted, there exists no single set of universally applicable control techniques and procedures which will guarantee the adequacy of information security. However, with a view to providing more guidance to licensed corporations, the Appendix has included some suggested control techniques and procedures in respect of the following key ideas: (c) (d) (e) (f) Information security policy; Access control; Encryption; Change management; User activities monitoring; and Data backup and continuity planning. Should you have any queries regarding the contents of this circular, please contact Coolky Sit at 2842 7767. Intermediaries Supervision Department Securities and Futures Commission 2 of 5

Appendix Information Technology Management Issues to be considered by licensed corporations A. Information security policy 1) Establish and implement appropriate internal information security policy and perform regular review and consider enhancement where needed 2) Perform compliance checking against the established information security policy 3) Raise staff awareness on the importance of information security 4) Issue information security procedures/guidelines to its clients who access the system services offered by the licensed corporations 5) Formulate and implement physical security policy to protect critical computer equipments (including the server and network device) in a secure environment B. Access control 1. User account and access rights management 1) Exercise proper management approval control over creation of new user account and granting/modifying access right 2) Set access right on a need-to-know basis and ensure segregation of incompatible duties 3) Review the validity of user account and appropriateness of its access right on a regular basis 4) Remove or terminate obsolete user accounts and their access rights 5) Create unique user-identification codes with appropriate authentication mechanism to ensure accountability of user activities 6) Grant superuser account only after due and careful consideration by management 2. Password policy and control 1) Implement effective password policy by setting, inter alia, minimum password length, password composition policy, and password life cycle 2) Implement adequate authentication mechanism (such as login by inputting a valid combination of user ID and password or when necessary consider additional authentication factors) 3. Network and system access control 1) Access to both testing and production environment should be restricted to 3 of 5

authorized parties only so as to minimize possible data manipulation and unauthorized system changes 2) Grant remote access right to external parties such as system vendors only on a needs basis and monitor the user activities to detect any unusual or unauthorized activities 3) Terminate remote access connection immediately when such connection is no longer necessary 4) Avoid access to/by external network such as Internet unless proper network safeguards (such as anti-virus mechanism and firewall) are implemented C. Encryption 1) Apply data encryption to protect sensitive information transmitted outside secured internal network (e.g. over the Internet) or stored in portable storage devices (e.g. USB memory key, CD/DVD-ROM or floppy disk) without strong physical/logical protection D. Change management 1) Test system changes properly, for instance, develop and execute test cases which cover all scenarios which can be reasonably anticipated in actual operation 2) Test system capacity and performance with sufficient data and transactions volume with reference to anticipated and historical peaks 3) Maintain proper audit trails for system changes and test results 4) Seek approval from management before system changes are migrated to the production environment 5) Avoid possible misuse of sensitive information (e.g. client information) by only allowing testing data (i.e. not production data) to be used in testing environment E. User activities monitoring 1) Make sure audit log is available to log user activities in the information systems and audit log should be restricted from modification 2) Management to monitor/regularly review the access to sensitive application program sources and databases 3) Perform performance monitoring on a continuous basis to ensure the availability of information systems F. Data backup and continuity planning 1) Perform backup on critical data on a regular basis 2) Access to data backup media should be restricted to authorized personnel only 3) Store a set of backup data off site 4) Test restoration of data from data backup on a regular basis to ensure availability of data in case of emergency 4 of 5

5) Access to data restoration functions should be restricted to authorized personnel only 6) Implement an effective business continuity plan. Based on the business continuity plan, IT disaster recovery plan should be formulated to ensure critical information systems can be resumed to support business operations End SFO/IS/004/2010 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information