A list of 31 key tasks, 10% of the average net profit of securities companies will be invested in technology funds

News 2023-08-25 18:28:56 views: null

On June 9, under the guidance of the China Securities Regulatory Commission, in accordance with the "Network Security Law", "Data Security Law", "Personal Information Protection Law", "Key Information Infrastructure Security Protection Regulations", "Securities and Futures Industry Network and Information Security Management Measures" " The "14th Five-Year Plan" for the development of science and technology in the securities and futures industry and other laws and regulations, regulatory provisions and industry plans, the Securities Association of China (hereinafter referred to as the "Association") issued the "Three-Year Improvement Plan for Network and Information Security of Securities Companies (2023-2025) " ( hereinafter referred to as the "Safety Improvement Plan").

In the first half of 2022, cyber security incidents in the securities industry occurred more frequently, which had a greater impact on the safe and stable operation of the capital market. Insufficient information technology investment in the industry as a whole, backward information system architecture, and lack of information technology management capabilities have become the main problems that restrict the security of industry information systems for a long time. In response to the above situation, the "Security Improvement Plan" clarifies the six major tasks of securities companies in terms of technological governance capabilities, technological investment mechanisms, information system architecture planning and design, system operation guarantee capabilities, system operation guarantee capabilities, and network and information security protection systems. It can be said that it has pointed out the direction for the development of securities companies in the next few years.

The overall goal of comprehensively improving the network and information security of securities companies in the next three years is to organize and guide securities companies to actively implement various measures to promote the construction of network and information security in the securities industry to achieve solid results : the awareness of network and information security of industry practitioners has increased significantly, The scientific and technological governance ability has been effectively improved, the ability to control the information system structure has been comprehensively strengthened, the investment in scientific and technological funds and personnel training have continued to increase, the network and information security protection system has been basically sound, and the technological innovation and digital transformation of the industry have reached a new level, providing high-quality services for the industry. Provide strong support for development, fully support the reform and development of the capital market, and firmly hold the bottom line of preventing systemic network and information security risks.

List of six major tasks and 31 key tasks

As an action guide to guide securities companies to improve network and information security work in the next three years, the "Security Improvement Plan" follows the basic principles of robustness, systematicness, differentiation, and innovation , and comprehensively considers different years, different types of companies, and different foundations. A list of key tasks for improving network and information security within the six major tasks including 31 key tasks has been formulated to facilitate the implementation of securities firms in a clearer and clearer manner.

1. Continue to improve the level of technological governance

It mainly includes the five tasks of comprehensively improving the strategic development plan of information technology, giving full play to the organizational role of technology governance, vigorously promoting the construction of information technology management system, improving the three lines of defense of information technology risk management, and continuously improving the supplier management mechanism.

2. Establish a scientific and reasonable technology input mechanism

It mainly includes two tasks: increasing investment in scientific and technological funds reasonably and strengthening the construction of scientific and technological talents.

3. Enhance the ability to control information system architecture planning

It mainly includes five tasks: establishing and improving the system architecture management mechanism, building and improving the enterprise-level application architecture, continuously strengthening the governance of the data architecture system, promoting the transformation and upgrading of the technical architecture in multiple directions, and continuously improving the independent control ability of the core system.

4. Strengthen system development and testing management capabilities

It mainly includes establishing and improving the requirements design and analysis mechanism, continuously improving the efficiency and security of code development, formulating and implementing information system code audit specifications, and comprehensively strengthening the quality control of information system testing.

5. Consolidate system operation support capabilities

It mainly includes strengthening the management of information system offline and offline, comprehensively controlling the risk of information system change, continuously improving the ability of information system fault discovery, comprehensively improving the efficiency of event early warning and handling, improving the organization-level emergency response management mechanism, and doing a good job in information system capacity and performance management. Important information system data backup capability 7 tasks.

6. Improving the information security protection system

It mainly includes the implementation of graded protection grading and evaluation requirements, deepening the full life cycle management and control of vulnerabilities, improving security attack prevention and control capabilities, continuously strengthening network security situation awareness and notification and early warning, improving mobile client application software certification mechanisms, and strengthening the construction of data security management systems , Continue to strengthen security awareness training, and do a good job in the 8 tasks of overall security construction.

The official draft of the "Safety Improvement Plan" has changed in requirements compared with the draft for comments

Reasonably increase investment in science and technology

The proportion of "8% of average net profit or 6% of average operating income" in the draft for comments has been further increased in the official draft. The "Safety Improvement Plan" encourages qualified securities companies to invest no less than 10% of the average net profit or 7% of the average operating income in the three years 2023-2025 , and maintain a stable capital investment . It is also required to continuously optimize the investment structure of information technology, increase investment in research and development, network and information security, and information creation, and deepen information technology architecture design, system testing, security protection, and digital transformation capacity building.

Strengthen the construction of scientific and technological personnel

In the draft for comments, the " proportion of information technology professionals to 6% of the total number of employees of the enterprise" was increased to 7% . The "Safety Improvement Plan" requires strengthening the construction of scientific and technological talent teams, formulating talent training plans, and establishing and improving talent incentive guarantee and development mechanisms. Build a professional network and information security team that matches the scale and complexity of business activities, strengthen the professional technical force of the core system, and do a good job in the sequence of talent reserves for architects, R&D, testing, operation and maintenance, and security. Continue to enrich the team of information technology professionals, encourage qualified securities companies to gradually increase the proportion of information technology professionals to 7% of the total number of employees in light of their own actual conditions, and the proportion of information security professionals to 3% of the total number of information technology professionals and not Less than 2 people.

Focus on strengthening and improving security risk management and control capabilities

Compared with the draft for comments, the official draft focuses on strengthening and improving the security risk management and control capabilities of the securities industry. The following requirements have been added :

  • New requirements for the third line of defense in risk management ;
  • Improve the high availability requirements for information systems, from "second-level switching when a single component in the data center fails, and realize off-site disaster recovery deployment, off-site disaster recovery can achieve minute-level switching" to "a single physical device inside the data center The failure does not affect the high availability of the cluster, and the overall failure of the cluster can realize second-level intra-city disaster recovery switchover or minute-level remote disaster recovery switchover”;
  • Relevant requirements have been added to strengthen the information security management of individual investors and the security management of cross-border data.

Data security is required as a normal work

The "Security Improvement Plan" requires the securities industry to establish long-term effective enterprise-level data planning and development strategies, and continuously strengthen enterprise data architecture governance. Establish a unified enterprise-level data standard, continuously improve the level of data standardization, standardize the identification, confirmation, and classification of data, establish and implement technical protection capabilities at all stages of the data life cycle, and make data security a normal work. Through dynamic tracking, continuous improvement, and security risk monitoring of the entire data link, we can keep abreast of the current status of data management and control, and continuously optimize data governance strategies. Specific requirements are as follows:

  1. Establish a personal information protection system, clarify job responsibilities, standardize work processes, and strengthen management of the company and external cooperative organizations. Implement national laws and regulations and industry regulatory requirements, strengthen the construction of a data security management system, classify and classify data on the basis of clarifying data rights and responsibilities, and focus on the security protection requirements of the full life cycle of data to build clear goals and clear responsibilities , clear-cut and well-established institutional norms.
  2. Focus on strengthening the accurate identification of static and dynamic data assets, and focus on data processing such as data collection, transmission, storage, processing, sharing, deletion, and destruction to refine data identification and authority control, full-link data flow description and dynamic monitoring , Scenario-based data encryption and desensitization are the core content, and build in-depth security management and control capabilities covering terminals, borders, networks, servers, databases, and application systems. Fully isolate the production environment and development and testing environment data, and implement strict control over the interaction and use of data in different environments.
  3. Focus on standardizing the effective identification, key protection and safe use of core data, important data and investor personal information, and establish comprehensive data security monitoring capabilities and historical data security cleaning capabilities in accordance with the principle of "compliance with laws and regulations, minimum necessity" , with multiple identities Authentication capability. For users who have access to data assets, passwords, cryptography, biotechnology and other information can be used to identify users, and user access control is performed based on roles. All authorized operations comply with the principle of least authorization, and all user authorizations are recorded. .
  4. Strictly follow the requirements of laws and regulations to conduct risk assessments on core data and important data processing activities, carry out effective personal information protection impact assessments, standardize investors' personal information processing activities, and establish and improve long-term security management mechanisms and protective measures for the entire data life cycle.
  5. Securities companies with cross-border related business and application scenarios must strictly implement national laws and regulations and various management regulations on data security from regulatory authorities, focus on strengthening the security management of core data, important data, and personal information, and conscientiously organize data security assessment to ensure data security.

epilogue

In order to promote the implementation of the "Security Improvement Plan", the Securities Association of China will strengthen the supervision of the network and information security improvement work in the securities industry. Security services, strengthening training and exchanges, summarizing and promoting demonstration practices, etc., guide the industry to improve benchmarking, and build a good securities technology ecology.

In the process of business development, the securities industry will directly or indirectly collect a large amount of investor personal information, including bank accounts, face photos and other sensitive personal information. The compliance of personal information processing behaviors is the top priority for the securities industry to carry out data security protection work Compliance Points.

Efficient data security management is very important to the implementation of the three-year plan for the security of securities companies' network information. As an enterprise-level integrated data security platform product and service provider, the origin security core team has been working in the network security industry for more than ten years, has rich experience in security product technology and enterprise customer service, and has the ability to support securities institutions to carry out the "Security Improvement Plan" Ability to work on the ground. Today, when new data security products are becoming more complex and diverse, with frequent iterations, Origin Security's integrated data security platform uDSP  can guarantee the overall effectiveness of the data security team and effectively help brokers to simplify the data security management work.

Guess you like

Origin blog.csdn.net/oripoint/article/details/131476808
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com