Questionnaire for Intermediaries Providing Trading Services through Electronic Means

Similar documents
Information Technology Branch Access Control Technical Standard

CHIS, Inc. Privacy General Guidelines

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Information Systems Security Assessment

Hang Seng HSBCnet Security. May 2016

NOTIFICATION OF THE STOCK EXCHANGE OF THAILAND Re: Standards of the Trading of Securities Through Internet, 2005

BOWMAN SYSTEMS SECURING CLIENT DATA

Retention & Destruction

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Electronic Trading Information Template

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Internet Banking Internal Control Questionnaire

Proposed framework for Securities trading using wireless technology.

SFC ELECTRONIC TRADING REGIME

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Settlement Agent Frequently Asked Questions

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

ELECTRONIC INFORMATION SECURITY A.R.

HIPAA Information Security Overview

SURVEY ON THE USE OF ONLINE FACILITIES FOR TRADING PURPOSES BY DEALERS REGISTERED WITH THE COMMISSION AS AT 30 APRIL 2000

Security Measures for the BOJ Open Network for Electronic Procedures on the Foreign Exchange and Foreign Trade Law

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Relocation of CCMS Data Centre to Tseung Kwan O Data Centre (Phase Two) Market Rehearsal (MR) Information Package. for. HKCC & SEOCH Participants

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

GE Measurement & Control. Cyber Security for NEI 08-09

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

CorporateGuard Comprehensive Crime Insurance

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Electronic business conditions of use

HIPAA Security Alert

Supplier Information Security Addendum for GE Restricted Data

Spillemyndigheden s Certification Programme Information Security Management System

PCI DSS Requirements - Security Controls and Processes

Record Keeping. Guide to the Standard for Professional Practice College of Physiotherapists of Ontario

ICT USER ACCOUNT MANAGEMENT POLICY

Consensus Policy Resource Community. Lab Security Policy

Supplier IT Security Guide

General Computer Controls

Internet Trading Regulations Of the Karachi Stock Exchange (Guarantee) Limited

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Altus UC Security Overview

Central Agency for Information Technology

OFFICE OF THE STATE AUDITOR General Controls Review Questionnaire

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

ipatch System Manager - HIPAA Compliance

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Net Report s PCI DSS Version 1.1 Compliance Suite

Secure Client Guide

SHARPCLOUD SECURITY STATEMENT

Vendor Questionnaire

Cathay Business Online Banking Quick Guide

GFI White Paper PCI-DSS compliance and GFI Software products

Cathay Business Online Banking

IT Security Procedure

Portal Administration. Administrator Guide

Payment Systems and Funds Transfer Internal Control Questionnaire

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Data Protection Act Guidance on the use of cloud computing

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

tell you about products and services and provide information to our third party marketing partners, subject to this policy;

ITECH Net Monitor. Standards Compliance

ONLINE BANKING AGREEMENT

Commodity Futures Trading Commission Privacy Impact Assessment

REVIEW OF THE INTERNAL CONTROLS OF THE RTA S INFORMATION SYSTEM

(Unofficial Translation)

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Connectivity Test for Upgrade of Securities and Derivatives Network (SDNet/2) for the Derivatives Market. Information Package for

Privacy Policy Version 1.0, 1 st of May 2016

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

HIPAA/HITECH Compliance Using VMware vcloud Air

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

IOM Data Privacy and Accuracy Policy

Information Security Policy

IBX Business Network Platform Information Security Controls Document Classification [Public]

Storage Guardian Remote Backup Restore and Archive Services

GUIDELINES ON COMPLIANCE FUNCTION FOR FUND MANAGEMENT COMPANIES

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Achieving Compliance with the PCI Data Security Standard

Management Standards for Information Security Measures for the Central Government Computer Systems

Best Practices For Department Server and Enterprise System Checklist

ICE SDR SERVICE DISCLOSURE DOCUMENT

CMS Operational Policy for Infrastructure Router Security

Last updated: 30 May Credit Suisse Privacy Policy

Security Features: Lettings & Property Management Software

region16.net Acceptable Use Policy ( AUP )

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Regulated activities. Topic. 1.1 Regulated activities are defined under Schedule 5 to the SFO. They include:-

Preparing for the HIPAA Security Rule

A Rackspace White Paper Spring 2010

Transcription:

Questionnaire for Intermediaries Providing Trading Services through Electronic Means For completion by intermediaries intending to provide trading services through electronic means other than the provision of Automated Trading Services. Please provide additional information if any of your reply below is no. Name of Corporation Section 1: Basic Information 1.1 Describe the nature of your system. Order routing system Electronic communication network Internet portal Trading platform 1.2 Describe the types of services you intend to provide. Routing of orders on securities/futures/leveraged foreign exchange trading* Matching of orders on securities/futures/leveraged foreign exchange trading* Providing investment advice on securities/futures/leveraged foreign exchange trading* Publishing research or analysis on securities/futures/leveraged foreign exchange trading* Providing platform to facilitate trading activities Providing facilities for electronic clearing and settlement Bulletin board/chat room service* Electronic subscription service (e.g. eipo) Portfolio tracking Market price quotation Placing orders for fund subscription, switching and redemption 1.3 Please provide the location of your host server and backup server. Host server Backup server 1

1.4 Please provide your website address. 1.5 Describe the intended users of your systems/facilities. Retail clients High net worth clients Licensed brokers/fund houses/advisers* Authorized financial institutions/registered institutions* Trustees or custodians Other institutional clients 1.6 Describe your source of remuneration. Fixed fees from users Basis of computation of fee: Variable fees from users Basis of computation of fee: Advertisement fees Rebate or commission from intermediaries * Delete where not applicable Section 2: Responsible Parties 2.1 Please provide names of the following persons/entities: Responsible officer supervising the electronic trading service If the following functions are not carried out in-house, entities responsible for the functions: System developer or application service provider System administration System maintenance Data centre Database administration 2

Section 3: System Integrity 3.1 System security (a) Information security Use of alpha-numeric passwords with not less than 8 digits? Yes. No. Remark Use of latest encryption technology to secure communication over the Internet? Yes. No. Remark Are clients required to change passwords at regular intervals? Yes. No. Remark Do clients have an option to change passwords at any time? Yes. No. Remark Is there an automatic time-out feature for site access? Yes. No. Remark Will clients be restricted from more than one log-on at any time? Yes. No. Remark Will repeated failures in log in attempts trigger resetting of password? Yes. No. Remark (b) Network security Is the transaction database logically separated from web servers? Yes. No. Remark Are web servers residing in the Demilitarized Zone? Yes. No. Remark Are there firewalls to shield servers and internal network from unauthorized access? Yes. No. Remark Do the firewalls have appropriate rules? Yes. No. Remark 3

(c) Host security Are there intrusion detection devices to monitor any unauthorized access? Yes. No. Remark Is the intrusion detection log regularly reviewed by a senior officer? Yes. No. Remark Are control and operation of important devices (such as firewalls and routers) divided into two parts using separate passwords? Yes. No. Remark Are there router access controls to provide an additional layer of protection? Yes. No. Remark (d) Physical security Are the host and server systems placed in a locked room accessible by authorized persons only? Yes. No. Remark 3.2 System capacity and reliability (a) Are there adequate margins above current capacity? Yes. No. Remark (b) Is the system scalable? Yes. No. Remark (c) Will stress test be conducted periodically? Yes. No. Remark 3.3 Contingency (a) Are there emergency back-up server and power in place? Yes. No. Remark (b) Are there alternative means of communication in the event of system failure? Yes. No. Remark (c) Is there any written contingency plan? Yes. No. Remark (d) Do you conduct periodic rehearsal of the contingency plan? Yes. No. Remark 4

Section 4: Sufficiency of Information and Risk Disclosure for Clients 4.1 Specify the information/services that you will provide to your clients (please tick ). Details of services to be provided via the system Market risks relating to different types of services and products Default reading of relevant risk statement at appropriate juncture Account opening procedures Fees and charges for different types of services Pre-deal preview and confirmation of order Electronic confirmation of execution Circumstances and procedures for cancellation of transactions Electronic contract notes and statement Level of security and capacity of system Contingency arrangement Alternative means of communication with the firm in case of system failure Alerts on changes 4.2 Will the above information be disclosed on your website and client agreement? Yes. No. Remark Section 5: Order Handling and Execution 5.1 Do you have a procedure manual describing the process flow from receiving through execution of a client order? Yes. No. Remark 5.2 Have your written policies and procedure manuals been distributed and explained to all relevant staff to ensure that they understand the policies and procedures? Yes. No. Remark 5.3 Do you have exception reports and management reports for detecting and monitoring irregularities (for example, detecting attempts to mark up or down the closing price)? Yes. No. Remark 5.4 Will the exception reports and management reports be reviewed by senior management? Yes. No. Remark 5

Section 6: Content of the Website 6.1 Have you disclosed your name, licence/registration status, central entity number, and exchange trading participantship (if any) on your website? Yes. No. Remark 6.2 Does your website have any hyperlinks to overseas websites which target the Hong Kong investors (please provide additional information if your reply is yes )? Yes. No. Remark 6.3 Does your website have any hyperlinks to other entities which facilitate clients to open accounts with these entities (please provide additional information if your reply is yes )? Yes. No. Remark 6.4 Does your website contain relevant disclaimers (e.g. in respect of hyperlinks)? Yes. No. Remark Section 7: Declaration and Undertaking 7.1 We declare that in respect of our electronic trading system, we have: Adequate qualified and experienced personnel to conduct and supervise operations. Adequate system, network, host, and physical security. Fully tested and resolved operational integrity, security, reliability, capacity and contingency issues. Established a periodic review programme to comprehensively plan, test and monitor the system s integrity, security, reliability and capacity. Maintained written system documentation detailing functional and technical specifications of our systems. Maintained audit trails of all system changes and maintenance. Procedures to establish the true identity of any new client. Procedures to ascertain new client s financial situation, investment objectives, risk appetite and experience prior to providing service to them. Procedures to ensure that client orders are handled in a fair and timely manner, on best available terms and are properly recorded. These include: - having an accurate time-sequenced record of orders and transactions (with audit trail); - handling orders promptly and in the order received; - allocating executed trades fairly, promptly confirming executed trades to clients; 6

- agreeing with clients on accepting orders and confirmation of trades via an electronic trading system; - performing regular reconciliation of accounts to ensure account information is update; and - taking reasonable steps to safeguard confidential information transmitted electronically. Written procedures, including procedures to handle contingency situations to deal with communications and transactions. Procedures to provide clients with adequate information about our system. Included in client agreements appropriate and prominent risk disclosures highlighting the risks associated with electronic trading transactions, such as time lag in data transmission, that orders may not necessarily be executed at the price indicated on the electronic trading system, and that communications may be subject to interruption, blackout or delay. Communicated to clients the authentication technologies used and kept such records. Checked to ensure that the system does not contain inappropriate or misleading content. 7.2 We undertake that we will immediately notify the Commission of: Any significant change in the electronic trading system, in particular, the following: - nature of the system (question 1.1); - types of services we intended to provide (question 1.2); - system security (question 3.1); and - hyperlinks to other parties (questions 6.2 & 6.3). Significant system failure such as undue delay in confirming or executing client s orders and service outage. Repeated hacking or attempted hacking activities. For and on behalf of: Name of firm Name of director/responsible officer/ executive officer/chief executive/ person authorized by the board of directors* Signature Date * Delete where not applicable. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information