Financial Information Service Co., Ltd. Financial Blockchain Information System 財務信息服務有限公司。財務區塊鏈信息系統。
Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, and Confidentiality (SOC 2) 有關安全、可用性、處理完整性和機密性(SOC 2)的服務組織控制報告
For the Period January 1, 2023, to December 31, 2023 2023 年 1 月 1 日至 2023 年 12 月 31 日期間
We have been engaged to report on Financial Information Service Co., Ltd. (the "service organization" or "FISC") accompanying description of its Financial Blockchain Information System in section 3 titled "FISC's Service Organization's Description of its Financial Blockchain Information System (FBIS)" throughout the period January 1, 2023 to December 31, 2023 (the "description") based on the criteria for a description of a service organization's system set forth in DC section 200, 2018 Description Criteria for a Description of a Service Organization's System in a SOC Report (AICPA, Description Criteria) ("description criteria") and on the design and operation of controls stated in the description to provide reasonable assurance that FISC's service commitments and system requirements were achieved based on the trust services criteria relevant to security, availability, processing integrity, confidentiality set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria) ("applicable trust services criteria"). 我們已獲委託就財務信息服務有限公司(以下簡稱"服務機構"或"FISC")於 2023 年 1 月 1 日至 2023 年 12 月 31 日期間(以下簡稱"描述")的財務區塊鏈信息系統進行報告,該報告包括在第 3 節標題為"FISC 服務機構對其財務區塊鏈信息系統(FBIS)的描述"中,根據 AICPA 2018 年描述準則中關於服務機構系統描述的標準("描述準則"),以及根據描述中所述的控制設計和操作,以提供合理保證,即 FISC 的服務承諾和系統要求是基於安全性、可用性、處理完整性、機密性相關的信任服務標準,該標準在 AICPA 2017 年信任服務標準中設定("適用的信任服務標準")。
Service Organization's Responsibilities 服務機構的責任
FISC is responsible for: preparing the description and accompanying statement in section 2 titled "Statement of FISC Management", including the completeness, accuracy, and method of presentation of the description and statement; providing the services covered by the description; selecting the applicable trust services category or categories and stating the related controls in the description; identifying the risks that would threaten the achievement of the service organization's service commitments and system requirements; and designing, implementing, and operating controls that are suitably designed and operating effectively to provide reasonable assurance that its service commitments and system requirements were achieved. 財務資訊服務中心(FISC)負責:準備第 2 節標題為“財務資訊服務中心管理層聲明”的描述和附帶聲明,包括描述和聲明的完整性、準確性和呈現方式;提供描述中涵蓋的服務;選擇適用的信託服務類別或類別並在描述中陳述相關控制;識別可能危及服務組織服務承諾和系統要求實現的風險;並設計、實施和運作適當設計並有效運作的控制,以合理保證其服務承諾和系統要求的實現。
RESTRICTED. NO COPIES ALLOWED. 受限制。不允許複製。
Service Auditor's Independence and Quality Control 服務稽核師的獨立性和質量控制
We have complied with the independence and other ethical requirements of the Norm of Professional Ethics for Certified Public Accountant of the Republic of China, issued by National Federation of CPAs Associations of the Republic of China (Taiwan), which contains integrity, objectivity, professional competence and due care, confidentiality, and professional behavior as the fundamental principles. 我們已遵守中華民國會計師公會職業道德準則的獨立性和其他道德要求,該準則由中華民國(台灣)會計師公會聯合會發布,其中包含誠信、客觀性、專業能力和應有的注意、保密性以及專業行為等基本原則。
The firm applies the Standards on Quality Management 1, Quality Management for Public Accounting Firms, issued by the Auditing Standards Committee in Taiwan and, accordingly, maintains a comprehensive system of quality controls, including documented policies and procedures regarding compliance with ethical requirements, professional standards, and applicable legal and regulatory requirements. 本公司遵守台灣審計準則委員會發布的《會計師事務所品質管理標準 1:會計師事務所品質管理》,並相應地保持一套全面的品質控制系統,包括有關遵守道德要求、專業標準以及適用的法律和監管要求的文件化政策和程序。
Service Auditor's Responsibilities 服務審計師的責任
Our responsibility is to express an opinion on the description and on the design and operation of controls related to the service commitments and system requirements stated in the description based on our procedures. We conducted our engagement in accordance with Assurance Engagements 3000, Assurance Engagements Other than Audits or Reviews of Historical Financial Information, issued by the Auditing Standards Committee in Taiwan. That standard requires that we plan and perform our procedures to obtain reasonable assurance about whether, in all material respects, the description is presented in accordance with the description criteria, and the controls are suitably designed and operating effectively to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. 我們的責任是根據我們的程序對描述、與描述中所述的服務承諾和系統要求相關的控制設計和運作發表意見。我們根據台灣審計標準委員會發布的《保證性工作 3000 號,除歷史財務資訊之審計或審查之外的保證性工作》進行我們的工作。該標準要求我們計劃並執行我們的程序,以獲得合理保證,即在所有重大方面,描述符合描述標準,並且控制設計合適且有效運作,以提供合理保證,即服務組織的服務承諾和系統要求基於適用的信任服務標準得以實現。
An assurance engagement to report on the description and the design and operating effectiveness of controls at a service organization involves performing procedures to obtain evidence about the disclosures in the service organization's description of its system and the design and operating effectiveness of controls. The procedures selected depend on the service auditor's judgment, including the assessment of the risks that the description is not presented in accordance with the description criteria and that controls are not suitably designed or operating effectively. Our procedures included testing the operating effectiveness of those controls that we consider necessary to obtain reasonable assurance that the service commitments and system 保證承諾承擔對服務機構的描述、控制設計和運作效能進行報告的保證承諾,涉及執行程序以獲取有關服務機構系統描述及控制設計和運作效能的證據。所選擇的程序取決於審計師的判斷,包括評估描述是否符合描述標準以及控制是否設計得當或運作有效的風險。我們的程序包括測試我們認為必要以獲得合理保證的那些控制的運作效能,以確保服務承諾和系統描述中所述的要求已實現。這類保證承諾還包括評估描述的整體呈現。
requirements stated in the description were achieved. An assurance engagement of this type also includes evaluating the overall presentation of the description. 我們相信我們獲得的證據足夠且適當,可為我們的意見提供合理的基礎。
We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.
Our examination also included performing such other procedures as we considered necessary in the circumstances. 我們的審查還包括進行我們認為在當時情況下必要的其他程序。
Limitations of Controls at a Service Organization 服務組織的控制限制
The description is prepared to meet the common needs of a broad range of customers and their auditors and may not, therefore, include every aspect of the system that each individual customer may consider important to meet their own environment. Also because of their nature, service organization controls may not always operate effectively to provide reasonable assurance that the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria. Also, the projection of any evaluation of the suitability of design or operating effectiveness of the controls to future periods is subject to the risk that controls at a service organization may become inadequate or fail. 這份描述是為了滿足廣泛客戶及其稽核師的共同需求而準備的,因此可能不包括每個個別客戶可能認為重要以滿足其自身環境的系統的每個方面。同樣,由於其性質,服務組織的控制可能不總是有效運作,無法提供合理保證,即根據適用的信任服務標準實現服務組織的服務承諾和系統要求。此外,對控制的設計或運作有效性的任何評估的預測,將來期間的適當性,存在著服務組織的控制可能變得不足或失敗的風險。
Description of Tests of Controls 控制測試描述
The specific controls tested, and the nature, timing, and results of those tests are listed in section 4 titled "Trust Services Category, Criteria, Related Controls, and Tests of Controls". 測試的具體控制措施,以及這些測試的性質、時間安排和結果列在第 4 節中,標題為“信任服務類別、標準、相關控制和控制測試”。
Opinion 意見
Our opinion has been formed based on the matters outlined in this report. In our opinion, in all material respects, 我們的意見是根據本報告中概述的事項形成的。我們認為,在所有重大方面,
a. The description presents FISC's Financial Blockchain Information System as designed and implemented throughout the period January 1, 2023, to December 31, 2023, in accordance with the description criteria. a. 描述將 FISC 的金融區塊鏈信息系統呈現為根據描述標準於 2023 年 1 月 1 日至 2023 年 12 月 31 日期間設計和實施。
b. The controls stated in the description were suitably designed throughout the period January 1,2023 , to December 31 , 2023, to provide reasonable assurance that FISC's service commitments and system requirements would be achieved based on the applicable trust services criteria, if its controls operated effectively throughout that period. b. 描述中所述的控制在 2023 年 1 月 1 日至 2023 年 12 月 31 日期間適當設計,以合理保證如果其控制在該期間內有效運作,則 FISC 的服務承諾和系統要求將根據適用的信任服務標準得以實現。
c. The controls, which were those necessary to provide reasonable assurance that FISC's service commitments and system c. 控制措施,這些措施是為了提供合理保證,以確保 FISC 的服務承諾和系統
RESTRICTED. NO COPIES ALLOWED. 受限制。不允許複製。
requirements were achieved based on the applicable trust services criteria, operated effectively throughout the period January 1, 2023, to December 31, 2023. 要求根據適用的信任服務準則實現,自 2023 年 1 月 1 日至 2023 年 12 月 31 日期間有效運作。
Restricted Use 限制使用
This report, including the description of tests of controls and results thereof in section 4, is intended solely for the information and use of FISC, user entities of FISC during some or all of the period January 1, 2023, to December 31, 2023, independent auditors, and regulators who have sufficient knowledge and understanding of the following: 本報告,包括第 4 節中對控制測試及結果的描述,僅供 FISC、FISC 用戶實體在 2023 年 1 月 1 日至 2023 年 12 月 31 日期間的信息和使用,獨立審計師和具有足夠知識和理解以下內容的監管機構使用:
The nature of the service provided by the service organization. 服務組織提供的服務性質。
How the service organization's system interacts with user entities, business partners, subservice organizations, and other parties. 服務組織的系統如何與用戶實體、商業夥伴、子服務組織和其他方互動。
Internal control and its limitations. 內部控制及其限制。
User entity responsibilities and how they may affect the user entity's ability to effectively use the service organization's services. 用戶實體的責任以及它們如何影響用戶實體有效使用服務組織的服務能力。
Complementary user entity controls and how they interact with related controls at the service organization to achieve the service organization's commitments and system requirement. 輔助用戶實體控制及其與服務組織相關控制的互動,以實現服務組織的承諾和系統要求。
The applicable trust services criteria. 適用的信任服務標準。
The risks that may threaten the achievement of achievement of the service organization's service commitments and system requirements and how controls address those risks. 可能威脅服務組織服務承諾和系統要求實現的風險,以及控制如何應對這些風險。
This report is not intended to be, and should not be, used by anyone other than these specified parties. 本報告並非用於其他特定方以外的人使用,也不應該被使用。
The engagement partner on the assurance engagement resulting in this independent service auditor's report is Hou,Yu-Yi. 參與保證工作的合夥人是侯宇儀,導致這份獨立服務審計師報告的產生。
Deloitte & Touche 德勤豐盛
Taipei, Taiwan 臺灣台北
Republic of China 中華民國
February 27, 2024 2024 年 2 月 27 日
RESTRICTED. NO COPIES ALLOWED. 受限制。不得複製。
SECTION 2 STATEMENT OF FISC MANAGEMENT 第 2 部分 財務管理聲明
財金資訊股份有限公司
Financial Information Service Co., LTD. 金融資訊服務股份有限公司
No.81, Kang-Ning Rd., Sec. 3, 台北市內湖區康寧路三段 81 號
Nei-Hu Dist., Taiepi, R.O.C. 中華民國台北市內湖區
Tel : 電話:
Statement of Financial Information Service Co., Ltd (FISC) Management 金融信息服務有限公司(FISC)管理聲明
We have prepared the accompanying description in section 3 titled "FISC Service Organization's Description of its Financial Blockchain Information System (FBIS)" throughout the period January 1, 2023 to December 31, 2023, (the "description"), based on the criteria for a description of a service organization's system set forth in DC section 200, 2018 Description Criteria for a Description of a Service Organization's System in a SOC 2® Report (AICPA, Description Criteria), ("description criteria"). The description is intended to provide customers who have used FISC's Financial Blockchain Information System and their auditors with information about the system that may be useful when assessing the risks arising from interactions with FISC's Financial Blockchain Information System, particularly information about system controls that FISC has designed, implemented and operated to provide reasonable assurance that its service commitments and system requirements were achieved based on the trust services criteria relevant to security, availability, processing integrity and confidentiality set forth in TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria) ("applicable trust services criteria"). 我們根據 2018 年 AICPA《服務組織系統描述標準》(Description Criteria)中規定的服務組織系統描述標準(DC section 200, 2018 Description Criteria for a Description of a Service Organization's System in a SOC 2® Report)(AICPA,描述標準)編製了附表中標題為“FISC 服務組織對其金融區塊鏈信息系統(FBIS)的描述”的描述,涵蓋了 2023 年 1 月 1 日至 2023 年 12 月 31 日的期間(“描述”)。 本描述旨在為使用 FISC 的金融區塊鏈信息系統及其審計師的客戶提供有關系統的信息,該信息在評估與 FISC 的金融區塊鏈信息系統互動所產生的風險時可能會有所幫助,特別是有關 FISC 設計、實施和運營的系統控制的信息,以便提供合理保證,即基於 TSP 第 100、2017 年《安全、可用性、處理完整性、保密性和隱私的信任服務標準》(AICPA,信任服務標準)中有關安全、可用性、處理完整性和保密性的信任服務標準,FISC 實現了其服務承諾和系統要求。
We confirm, to the best of our knowledge and belief, that. 我們據我們所知和相信最好的知識確認,即。
a. The description presents FISC's Financial Blockchain Information System (FBIS) as designed and implemented throughout the period January 1, 2023, to December 31, 2023, in accordance with the description criteria. a. 本描述呈現了 FISC 的金融區塊鏈信息系統(FBIS),該系統自 2023 年 1 月 1 日至 2023 年 12 月 31 日期間根據描述標準設計和實施。
b. The controls stated in the description were suitably designed throughout the period January 1,2023 , to December 31,2023 , to provide reasonable assurance that FISC's service commitments and system requirements would be achieved based on the applicable trust services criteria, if its controls operated effectively throughout that period. b. 描述中所述的控制措施在 2023 年 1 月 1 日至 2023 年 12 月 31 日期间设计得当,以合理保证根据适用的信托服务标准,如果其控制在该期间内有效运行,将实现 FISC 的服务承诺和系统要求。
c. The controls, which were those necessary to provide reasonable assurance that FISC's service commitments and system requirements were achieved based on the applicable trust services criteria, operated effectively throughout the period January 1, 2023, to December 31, 2023. c. 这些控制措施是为了合理保证根据适用的信托服务标准,FISC 的服务承诺和系统要求在 2023 年 1 月 1 日至 2023 年 12 月 31 日期间得以实现而采取的,这些控制措施在该期间内有效运行。
SECTION 3 - 第 3 部分 -
FISC SERVICE ORGANIZATION'S DESCRIPTION OF ITS FINANCIAL BLOCKHAIN INFORMATION SYSTEM (FBIS) 金融區塊鏈信息系統(FBIS)的財務服務機構描述
Service Provided 提供的服務
The FBIS provides auditing units such as accounting firms, when auditing or reviewing corporate financial statements, directly issue confirmation request to financial institutions to obtain and evaluate audit evidence. The confirmation request data during the transmission process is cipher text transmission. In order to ensure data confidentiality, information security control and customer rights protection, the FBIS records the hash value of the confirmation request on the blockchain. The relevant transaction records cannot be added or changed. The data content of the confirmation request is not stored on the chain to achieve the effect of protecting transaction data. FBIS 為審計單位(如會計師事務所)提供服務,當審計或審核企業財務報表時,直接向金融機構發送確認請求以獲取並評估審計證據。在傳輸過程中,確認請求數據為密文傳輸。為確保數據保密性、信息安全控制和客戶權益保護,FBIS 在區塊鏈上記錄了確認請求的哈希值。相關交易記錄無法添加或更改。確認請求的數據內容不存儲在鏈上,以實現保護交易數據的效果。
Principal Service Commitments and System Requirements 主要服務承諾和系統要求
Regarding "Operation Manual of Participating Units of FBIS", For the service commitments with users, the service hours of FBIS is business days, the accounting firms, banks, enterprises all can apply for corporate authorization, confirmation request, or reply to confirmation information on business days. If there is an system abnormal situation or an information security incident, a security weakness, or an attack, etc., or if there is a risk of violating the information security policy of the competent authority of second party, the affected party shall notify the other party as soon as possible, unless necessary measures should be taken immediately to resolve or mitigate the behavior, and provide a detailed report to the other party, and both parties shall further discuss and agree on the emergency response operations, prevention of incident expansion, preservation of evidence, disaster recovery and other related treatments. 關於《FBIS 參與單位操作手冊》,對於與用戶的服務承諾,FBIS 的服務時間為工作日,會計師事務所、銀行、企業都可以在工作日申請企業授權、確認請求,或回覆確認信息。如果出現系統異常情況或信息安全事件、安全弱點或攻擊等,或者存在違反第二方主管機關信息安全政策風險,受影響方應盡快通知對方,除非必須立即採取措施解決或減輕行為,並向對方提供詳細報告,雙方應進一步討論並就緊急應對操作、防止事件擴大、證據保全、災難恢復和其他相關處置達成一致。
Regarding the system access, the account management is followed "FBIS Operating host account application and permission change operation manual", the person who is in-charge of account management is the member of resource control team and will review the account authority biannually to avoid unauthorized access. The changes of the FBIS follows "FBIS Change Management Procedure" and was implemented in the terminal room with a smart audit system for full monitoring. For system access safety, the user entities include personnel from accounting firms and banks to issue account numbers and chip cards and set their own fixed passwords to achieve two-factor authentication. No explicit information (such as unified number, ID card number, mobile phone number, e-mail account number, credit card number, deposit account number, etc.) of users shall be used for account number promotion. The security module of the chip card meets the safety strength of FIPS 140-2 Level 3 or above. The fixed password must meet the password policy. 關於系統存取,帳戶管理遵循「FBIS 操作主機帳戶申請和權限更改操作手冊」,負責帳戶管理的人員為資源控制團隊成員,將每六個月審查帳戶權限,以避免未經授權的存取。FBIS 的更改遵循「FBIS 變更管理程序」,並在端室實施智能審計系統進行全面監控。為確保系統存取安全,使用者實體包括會計師事務所和銀行人員,以發行帳號和晶片卡,並設置自己的固定密碼以實現雙因素驗證。不得使用使用者的明確信息(如統一編號、身份證號碼、手機號碼、電子郵件帳號、信用卡號碼、存款帳號等)進行帳號推廣。晶片卡的安全模組符合 FIPS 140-2 Level 3 或更高的安全強度。固定密碼必須符合密碼政策。
FISC commits to maintaining its management control system and continuously verified by British Standards Institution ("BSI") for international standards certificates such as ISO 27001, ISO 9001, ISO 22301, and BS 10012. To ensure information security and business continuity, FISC also conduct website security vulnerability detection, system penetration testing and information communication security health diagnosis, DDoS, social engineering exercises, red team attacks (imaginary enemy) and vulnerability scanning to ensure to provide complete reliable service. FISC 致力於維護其管理控制系統,並持續由英國標準協會("BSI")驗證,以獲得國際標準證書,如 ISO 27001、ISO 9001、ISO 22301 和 BS 10012。為確保信息安全和業務連續性,FISC 還進行網站安全漏洞檢測、系統滲透測試和信息通信安全健康診斷、DDoS、社會工程練習、紅隊攻擊(虛構敵人)和漏洞掃描,以確保提供完整可靠的服務。
Components of the System Used to Provide the Service 用於提供服務的系統組件
I. People 一、人員
The board of directors executes independent supervision over the design and implementation of the internal control and regularly evaluates its effectiveness. The management under the supervision of the board of directors, establishes an organizational structure, reporting system, and appropriate authority and responsibilities for FISC to achieve various goals. Authorization, design, development or acquisition, configuration, documentation, testing, approval, and implementation changes to infrastructure, data, software, and operating procedures to achieve goals. 董事會對內部控制的設計和執行進行獨立監督,並定期評估其有效性。在董事會監督下的管理層建立了一個組織結構、報告系統和適當的權限和責任,以實現 FISC 的各種目標。授權、設計、開發或獲取、配置、文檔化、測試、批准和實施基礕設施、數據、軟件和操作程序的變更以實現目標。
FISC has documented established roles and responsibilities based on functional discipline within the company. The organizational structure, with defined reporting authority, is also documented and posted internally, including those involved with the security, availability, processing integrity, and confidentiality trust principles. The number of people and necessary skills needed in the IT department is periodically assessed by management and a mechanism is in place so that deficiencies in internal control are communicated to appropriate management personnel. FISC 根據公司內的功能紀律確立了角色和責任的文件化,組織結構具有明確的報告權限,也已在內部發布,包括與安全、可用性、處理完整性和機密性信任原則有關的人員。管理層定期評估 IT 部門所需的人數和必要技能,並建立了一個機制,以便將內部控制的缺陷通報給適當的管理人員。
For risk management, FISC has set risk assessment organization structure, including the board of directors, risk management committee, risk management director, risk management team, every department of FISC, and the audit department which belongs to the board of directors. The annual risk assessment work is carried out by the "Risk Management Team" and the relevant results would be summarized. This team is directly under the general manager and consists of 1 team leader and 3 team members. The duties of the risk management team are including the research and revision of risk management systems, Research, planning, and implementation of risk management issues and supervise the implementation of risk management self-assessment activity of various units. 對於風險管理,FISC 已建立風險評估組織架構,包括董事會、風險管理委員會、風險管理總監、風險管理團隊、FISC 的每個部門,以及屬於董事會的審計部門。年度風險評估工作由“風險管理團隊”執行,相關結果將被總結。該團隊直屬總經理,由 1 名團隊負責人和 3 名團隊成員組成。風險管理團隊的職責包括風險管理制度的研究和修訂,風險管理問題的研究、規劃和實施,以及監督各單位風險管理自我評估活動的實施。
Regarding the FBIS, the related personnel planning is design as follow: 關於 FBIS,相關人員規劃如下設計:
System development 系統開發
1 supervisor who is responsible for reviewing the contents of the tasks undertaken by the team members and assist the team members in completing the assigned tasks. 1 位主管,負責審查團隊成員承擔的任務內容,並協助團隊成員完成分配的任務。
1 system planning and analysis member who oversees system planning, requirement confirmation and analysis, operation process planning and specification issuance, handling procurement operations, supplier communication and coordination related to FBIS. 1 位系統規劃和分析成員,負責監督系統規劃、需求確認和分析、操作流程規劃和規範發布、處理採購操作、與 FBIS 相關的供應商溝通和協調。
1 system design and development members and they are responsible for confirming requirements with manufacturers, installing and building systems, opening test cases and functional tests, system maintenance and monitoring operations 1 位系統設計和開發成員,負責與製造商確認需求、安裝和構建系統、開啟測試案例和功能測試、系統維護和監控操作。
II. Software and Infrastructure II. 軟體和基礎設施
FISC provides FBIS with confirmations service operations for External Confirmation Auditing Agency Service, External Confirmation Responding Bank Service, and a Financial Blockchain Network System including support services and associated data processing operations, FISC provides system hardware, software, support services and administrative services. FBIS is connected with Registration Authority ("RA") system from TAIWAN-CA INC. ("TWCA") for its Certificate Authority ("CA") service. And the scope of this assessment includes all systems with detail information shown below. For daily maintenance management, it is supported by other systems from FISC such as Vulnerability Management System, information security management system, etc. FISC 為 FBIS 提供外部確認審計機構服務、外部確認回應銀行服務,以及包括支援服務和相關數據處理操作的金融區塊鏈網絡系統,FISC 提供系統硬體、軟體、支援服務和行政服務。FBIS 與台灣數位認證股份有限公司("TWCA")的註冊機構("RA")系統相連,用於其憑證授權("CA")服務。本評估範圍包括所有系統,詳細信息如下所示。對於日常維護管理,由 FISC 的其他系統支援,例如漏洞管理系統、信息安全管理系統等。
Financial Blockchain Information System External Confirmation Auditing Agency Service 金融區塊鏈信息系統外部確認審計機構服務
Providing services to auditors (audit organization) and auditees (companies being audited). Through the system, auditors are able to request approval from companies or apply for external confirmations; 為審計師(審計組織)和被審計者(被審核公司)提供服務。 通過系統,審計師能夠向公司請求批准或申請外部確認;
Data Center 數據中心
Location 位置
Administered by 管理者
(location) (位置)
Application Description 應用程式描述
whereas auditees are able to approve. After the banks reply, auditors could also receive the results of the confirmation through the system. 審計對象能夠批准。銀行回覆後,審計師也可以通過系統收到確認結果。
Financial Blockchain Information System External Confirmation Responding Bank Service 金融區塊鏈信息系統外部確認銀行服務
ISC (Taichung ISC(臺中)
Providing services to banks for replying to external confirmation. Through the system, banks are able to receive and respond the confirmation to the auditor. 為銀行提供回覆外部確認的服務。透過系統,銀行能夠接收並回應審計師的確認。
Financial Blockchain Network System consists of blockchain nodes to provide blockchain service. 金融區塊鏈網絡系統由區塊鏈節點組成,提供區塊鏈服務。
III. Procedures 三、程序
FISC has developed various internal criteria documents, and staff follow internal procedures to perform operations. Specifications related to various trust criteria have been presented in the report, such as FISC 已經制定了各種內部標準文件,工作人員按照內部程序執行操作。報告中提出了與各種信任標準相關的規範。
Trust Services Criteria Relevant to Security 與安全相關的信任服務標準
Control Environment 控制環境
FISC has established the "Management System Specification" stipulates that the management will approve the operational objectives, policies, and guidelines for the management system, and stipulates the "Work Rules" that employees should perform the duty of honesty. "Working Guidelines for Performance Management Implementation", FISC 已建立了“管理體系規範”,規定管理層將批准管理體系的運營目標、政策和指南,並規定員工應該履行誠實職責的“工作規則”。“實施績效管理的工作指南”
"Working Guidelines for Employees' Retain and Promotion", " Management Guidelines for Contracts with Third Parties" and "Rules for Supplier Evaluation Management" are also established and regularly assessed to ensure that employees and outsourced personnel's performance meets expectations. The establishment of each department of FISC is based on the "Proper Levels & Responsibilities List", which are compiled according to different attributes, and the board of directors is convened and chaired by the chairman. In principle, it is held regularly every three months. The "Information System and Information Security Advisory Group" was also established to develop professional opinions on major proposals such as the company's information system and information security, and to strengthen the decision-making and supervision mechanism of the Board of Directors on information system and information security issues. "員工留任和晉升工作指引"、"與第三方簽約管理指引"和"供應商評估管理規則"也已建立並定期評估,以確保員工和外包人員的表現符合期望。FISC 各部門的設立基於"適當層級和責任清單",根據不同屬性編制,董事會由董事長召集並主持。原則上,每三個月定期舉行。還成立了"信息系統和信息安全諮詢小組",就公司的信息系統和信息安全等重大提案制定專業意見,加強董事會對信息系統和信息安全問題的決策和監督機制。
Communication and Information 溝通和信息
FISC has established "Internal Control Policy", the goal of establishing an internal control system, to promote the sound operation of the company, and to be followed by the board of directors, management, and employees. In addition, "Risk Management Operation Rules" is also established for risk management. The implementation of risk management plans or objectives by each unit shall regularly report to the business report to facilitate communication, discussion, review and improvement, and stipulate that each unit shall conduct risk management self-assessment at least once a year. To enhance the information security awareness of the whole company, "Working Guidelines for employee education and training management" contains the content of education and training and the regulations on internal and external training. If an abnormal accident occurs in the organization, it can also follow the "Reporting and Handling Points of Abnormal Incidents" for notification and further handling. FISC 已建立了“內部控制政策”,旨在建立內部控制系統,促進公司的良好運作,並由董事會、管理層和員工遵循。此外,還建立了“風險管理操作規則”進行風險管理。各單位執行風險管理計劃或目標應定期向業務報告,以促進溝通、討論、審查和改進,並規定各單位每年至少進行一次風險管理自我評估。為提高全公司的信息安全意識,“員工教育培訓管理工作指南”包含教育培訓內容和內外部培訓規定。如果組織發生異常事故,也可以按照“異常事件報告和處理要點”進行通知和進一步處理。
Risk Assessment 風險評估
FISC has established "Working Guidelines for Risk Assessment" to explain the promotion of each management system and planning the scope and schedule of risk assessment work. Each department should cooperate with the operation plan decided by the management review meeting to carry out risk assessment operations, reflect the current situation of risk changes, and explain the risk assessment operation mechanism. And FISC is also established "Regulations for Risk Management " to explain the company's implementation of risk management, regularly submit risk control reports, and report to the board of directors. Take steps to assess possible losses and provide adequate loss provisions in a timely manner and report to the board of directors. 金融監督管理委員會(FISC)已制定了《風險評估工作指引》,以說明推動各管理系統並規劃風險評估工作的範圍和進度。每個部門應配合管理審查會議決定的運營計劃進行風險評估操作,反映風險變化的現況,並說明風險評估操作機制。FISC 還制定了《風險管理規定》,以說明公司實施風險管理,定期提交風險控制報告,並向董事會匯報。採取措施評估可能的損失,及時提供足夠的損失準備金並向董事會匯報。
Monitoring Activities 監控活動
FISC has established "Network Security Management Manual" stipulates that the monitoring mechanism includes items such as the availability, capacity performance and various information security abnormal events of network security equipment, and establishes a vulnerability management mechanism, which requires that risk vulnerabilities such as the level of medium, high, and major risk weaknesses should be completed within 6 months. For those who cannot complete the weakness correction within the time limit (such as: the correction cannot be made, the manufacturer does not provide security updates, etc.), the management of the system equipment should fill in the "Information Security Exception Management Application Form", stating the reason or compensation measures should be submitted to the company's risk management supervisor for approval. 金融監督管理委員會(FISC)已制定了《網絡安全管理手冊》,規定監控機制包括網絡安全設備的可用性、容量性能和各種信息安全異常事件等項目,並建立了漏洞管理機制,要求風險漏洞(如中、高和重大風險弱點等級)應在 6 個月內完成。對於無法在時限內完成弱點修正的情況(例如:無法進行修正、製造商未提供安全更新等),系統設備管理應填寫《信息安全異常管理申請表》,說明原因或補償措施,並提交給公司風險管理主管審批。
Control Activities 控制活動
FISC has established the "Working Guidelines Problems and Needs Management Operation System" which states that management understands and determines the dependency and linkage between business processes, control activities, and general controls. In addition, FISC has established the "Internal Control Policy" which states that the company should established internal control audit system, self-audit system, and regulatory compliance and risk management mechanism in order to maintain the operating of internal control system. Regular review meetings are also held to review the assessment results. 金融監督管理委員會(FISC)已建立了“工作指南問題和需求管理操作系統”,其中規定管理層了解並確定業務流程、控制活動和一般控制之間的依賴性和聯繫。此外,FISC 還建立了“內部控制政策”,規定公司應建立內部控制審計系統、自我審計系統以及監管合規和風險管理機制,以維護內部控制系統的運作。定期舉行審查會議以審查評估結果。
Logical and Physical Access Controls 邏輯和物理訪問控制
FISC has established the "Working Guidelines for Assess Apply and Change Regarding Financial Operating System" which states about the execution process and access activities of the account. Users can only log in to the operating host in the physical control area (such as operation room, terminal room, connecting management room, customer service center, etc.), and it is forbidden to log in from other places. When logging into the terminal management system (the entrance of connecting to the operating host), the user used the original account number and password, and use the one-time password provided by the Two-Factor Authentication tool (token) to conduct two-factor verification. 金融監督管理委員會已制定了《有關財務運作系統評估、申請和更改的工作指南》,闡述了帳戶的執行過程和訪問活動。用戶只能在物理控制區域(如操作室、終端室、連接管理室、客戶服務中心等)登錄運行主機,禁止從其他地方登錄。當登錄到終端管理系統(連接到運行主機的入口)時,用戶使用原始帳號和密碼,並使用雙因素驗證工具(令牌)提供的一次性密碼進行雙因素驗證。
System Operations 系統操作
FISC has established the "Working Handbook for Internet Security Management", which stated an alert standard should be set for internet security equipment's status, effectiveness and event. If abnormal occurs, immediate messages and 金融監督管理委員會已制定了《互聯網安全管理工作手冊》,其中指出應為互聯網安全設備的狀態、有效性和事件設置警報標準。如果發生異常,應立即發送消息和
emails were sent to notify related operators. In addition, computers and internet equipment using TCP/IP communication protocol should execute security vulnerability evaluation by security manager or professional vendors. 發送了郵件通知相關操作員。此外,使用 TCP/IP 通信協議的計算機和互聯網設備應由安全經理或專業供應商執行安全漏洞評估。
Change Management 變更管理
FISC has established the "Financial Information System Change Management Procedure", which is set out in detail the procedures for application review and execution of permissions and the development process of the system change. The application system of organization is mostly changed in response to demand; thus, the organization has established control mechanism to implement change management, which is divided into R&D, testing, and operation environments. The R&D environment needs to be corrected by checking out the code from the Dimensions. After completion, use the test worksheet to apply for changes to the operating system. FISC 已建立了《財務信息系統變更管理程序》,詳細列出了申請審查和權限執行以及系統變更開發過程的程序。組織的應用系統主要是根據需求進行更改;因此,組織建立了控制機制來實施變更管理,分為研發、測試和運營環境。研發環境需要通過從 Dimensions 檢查代碼來進行更正。完成後,使用測試工作表申請對操作系統的更改。
Risk Mitigation 風險緩解
FISC has established the "Financial Blockchain Information Inquiry Operation Plan", which is stated that mechanisms for system backup, data backup, and function recovery in order to prevent the serious impact caused by the loss of data or the interruption of operation due to system failure and the establishment of a backup mechanism ensures the normal operation of the system. In addition, FISC also insures commercial fire insurance and electronic equipment insurance for ail hardware equipment of Donghu, Nangang and Taichung Backup Center. Finally, for the risk management and response of vendors and business partners, FISC has incorporated relevant requirements into the contract. 金融監督管理委員會(FISC)已建立了“金融區塊鏈信息查詢操作計劃”,其中規定了系統備份、數據備份和功能恢復機制,以防止由於系統故障而導致數據丟失或運營中斷而造成的嚴重影響,並建立了備份機制,確保系統正常運行。此外,FISC 還為東湖、南港和台中備份中心的所有硬件設備投保商業火災保險和電子設備保險。最後,對於供應商和商業夥伴的風險管理和應對,FISC 已將相關要求納入合同中。
Trust Services Criteria for the Availability 可用性的信任服務標準
According to the "Personal Computer and Server Management Manual", the demanding unit submits a demand application, and the system department is entrusted to handle or purchase the required equipment. The allocation and management of information system resources adopt sharing and sharing methods and use Active-Active architecture or a sufficient backup mechanism to ensure the availability of resources. A single device abnormality or failure does not affect business services. Besides, FISC has established the documentation "Key Points for Handling Environmental Facility Abnormalities", which identified abnormal environmental accidents, including air-conditioning system failure, water damage, building/structure collapse, telephone communication system failure, power supply interruption, earthquake phenomenon [Taipei basin earthquake degree above 6], flood, fire, man-made damage, infectious disease (Such as bird flu, malaria, plague, SARS, etc.). 根據《個人電腦和伺服器管理手冊》,需求單位提交需求申請,系統部門負責處理或購買所需設備。資訊系統資源的分配和管理採用共享方法,並使用主動-主動架構或足夠的備份機制來確保資源的可用性。單一設備的異常或故障不影響業務服務。此外,FISC 已建立了《處理環境設施異常情況要點》文件,其中確定了異常的環境事故,包括空調系統故障、水損、建築/結構倒塌、電話通信系統故障、電力供應中斷、地震現象【台北盆地地震程度超過 6 級】、洪水、火災、人為破壞、傳染病(如禽流感、瘧疾、瘟疫、非典等)。
If it is discovered that the accident may cause system failure, the assistant of the management department or its designated personnel shall report to the team leader of the "Emergency Handling Team" in accordance with the provisions of the "Emergency Response Operation Points". 如果發現事故可能導致系統故障,管理部門助理或其指定人員應根據《應急響應操作要點》的規定向“應急處置小組”組長匯報。
Trust Services Criteria for the Confidentiality 保密的信任服務標準
FISC has established the documentation "Financial Blockchain Information System - External Confirmation Responding Bank Service Connection Specification" and "Financial Blockchain Information System Requirements Function External Confirmation Front-end Transaction System Analysis Specification V1.00" to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained. FISC 已經建立了文件“金融區塊鏈信息系統-外部確認應對銀行服務連接規範”和“金融區塊鏈信息系統需求功能外部確認前端交易系統分析規範 V1.00”,以在接收或創建機密信息時識別和指定機密信息,並確定機密信息保留的期限。
Besides, these documentations also describe how to erase or otherwise destroy confidential information that has been identified for destruction. 此外,這些文件還描述了如何刪除或以其他方式銷毀已被確定要銷毀的機密信息。
Trust Services Criteria for the Processing Integrity 用於處理完整性的信任服務標準
FISC has established the documentation "Financial Blockchain Information System - External Confirmation Responding Bank Service Connection Specification" and "Financial Blockchain Information System - External Confirmation Auditing Agency Service Connection Specification" to identify information specifications required to support the use of products and services. Besides, the system has established a fool-proof mechanism for input data when inputting relevant information from the confirmation inquiry and reply to unit. The relevant data processing and transmission process will exist in the system in the form of certificate encryption, and the system will not keep a temporary file after the data transmission is completed. FISC 已建立了文件“金融區塊鏈信息系統-外部確認應答銀行服務連接規範”和“金融區塊鏈信息系統-外部確認審計機構服務連接規範”,以確定支持產品和服務使用所需的信息規範。此外,系統已建立了一個無誤機制,用於在從確認查詢和回覆單位輸入相關信息時輸入相關信息。相關數據處理和傳輸過程將以證書加密的形式存在於系統中,系統在數據傳輸完成後將不保留臨時文件。
IV. Data IV. 數據
The end-to-end verification is taken between the accounting firm and the financial institution and use confirmation for encryption. No other third-party institutions (including FISC) cannot know the content of the confirmation request, which meets the transaction data mask to ensure data privacy. This mode means that the confirmation request data replies from the financial institution are encrypted and protected by the accounting firm's certificate. The confirmation request data during the transmission process is cipher text transmission. FISC does not have the decryption certificate of the accounting firm, enhance it cannot decrypt the enquiry inquiry data. After the accounting firm receives the encrypted request confirmation data, the firm needs to use the 會計師事務所與金融機構之間進行端對端驗證,並使用確認進行加密。沒有其他第三方機構(包括 FISC)可以知道確認請求的內容,這滿足了交易數據遮罩以確保數據隱私。這種模式意味著金融機構回覆的確認請求數據已被加密並受到會計師事務所的證書保護。在傳輸過程中,確認請求數據是密文傳輸。FISC 沒有會計師事務所的解密證書,因此無法解密查詢數據。在會計師事務所接收到加密的請求確認數據後,公司需要使用
corresponding certificate to decrypt, and then the firm can know the content in plain text. In order to ensure data confidentiality, information security control and customer rights protection, the FISC records the hash value of the transaction data on the blockchain. The relevant transaction records cannot be added or changed. The data content of the confirmation request is not stored on the chain to achieve the effect of protecting transaction data. 對應的證書進行解密,然後公司可以知道明文中的內容。為了確保數據的保密性、信息安全控制和客戶權益保護,FISC 在區塊鏈上記錄了交易數據的哈希值。相關的交易記錄不能被添加或更改。確認請求的數據內容不存儲在鏈上,以達到保護交易數據的效果。
Relevant Aspects of the Control Environment, Risk Assessment Process, Information and Communication, and Monitoring 控制環境、風險評估過程、信息與溝通以及監控的相關方面
The security category and applicable trust services criteria were used to evaluate the suitability of design and operating effectiveness of controls stated in the description. Security criteria and controls designed, implemented, and operated to meet them ensure that the system is protected against unauthorized access (both physical and logical). The controls supporting the applicable trust services security criteria are included in section 4 of this report. Although the applicable trust services criteria and related controls are included in section 4, they are an integral part of FISC's description of FBIS. 使用安全類別和適用的信任服務標準來評估描述中所述控制的設計和運行效果的適當性。設計、實施和運行的安全標準和控制確保系統受到未經授權的訪問(包括物理和邏輯訪問)的保護。支持適用的信任服務安全標準的控制包含在本報告的第 4 部分中。儘管適用的信任服務標準和相關控制包含在第 4 部分中,但它們是 FISC 對 FBIS 描述的一部分。
Security Control elements 安全控制元素
FISC's security control reflects the position taken by management and the Board of Directors concerning the importance of controls and the emphasis given to controls in FBIS's policies, procedures, methods, and organizational structure. Key elements of FISC's control environment include oversight by FISC's Board of Directors, Human Resources (HR) Policies and Practices, Employee Education, Risk Assessment and Monitoring, and Information and Communication. FISC 的安全控制反映了管理層和董事會對控制的重要性以及在 FBIS 政策、程序、方法和組織結構中賦予控制的重視所採取的立場。 FISC 控制環境的關鍵元素包括 FISC 董事會的監督、人力資源(HR)政策和實踐、員工教育、風險評估和監控,以及信息和溝通。
Security Control elements 安全控制元素
Communication and 溝通和
Enforcement of Integrity and 誠信和執行力
Ethical Values 道德價值觀的執行
Commitment to Competence 專業承諾
Description at FISC FISC 的描述
A statement of ethical values is available throughout the organization. 組織內提供道德價值觀聲明。
A formal code of conduct is communicated to employees. 向員工傳達正式的行為準則。
A culture exists emphasizing the importance of integrity and ethical behavior through oral communication and management example. 透過口頭溝通和管理示範,存在著強調誠信和道德行為重要性的文化。
HR policies and procedures are accessible to employees. 員工可以取得人力資源政策和程序。
Job descriptions are available containing minimum qualifications and job responsibilities. 提供包含最低資格和工作職責的工作描述。
Resources are available for employees, including equipment, software, and manuals. 為員工提供資源,包括設備、軟體和手冊。
Security Control elements 安全控制元素
Description at FISC FISC 的描述
Training is provided within FISC from a variety of sources. 在 FISC 內部提供來自各種來源的培訓。
Participation of the Board of 董事會的參與
Directors 董事
FISC Corporate bylaws and/or charter(s) exist outlining the responsibilities of the board 存在 FISC 公司章程和/或章程,概述董事会的责任
and management. 和管理。
A board of directors has been established and is charged with FISC corporate 已成立董事會,負責 FISC 公司
governance. 治理。
The board members include eleven to fifteen Directors and three to five Supervisors who 董事會成員包括十一至十五名董事和三至五名監事
shall be elected by the shareholders' meeting from among the persons with disposing 應由股東大會從具有處分能力的人中選舉產生。
capacity. 董事會成員定期開會履行董事會的職責。
The board members meet periodically to discharge the responsibilities of the board. 董事會成員定期開會履行董事會的職責。
The board members receive detailed reports and other information in advance of each 董事會成員在每次會議之前會收到詳細報告和其他信息
meeting. 。
Management Philosophy and 管理哲學和
Operating Style 運作風格
FISC IT Management emphasizes the importance of managing risks related to security FISC IT 管理強調管理與安全相關風險的重要性
trust principles in FBIS interaction with those involved in the process. 在 FBIS 與參與過程的人互動中,信任原則至關重要。
FISC IT Management is aware of security trust principal breaches or other significant issues. FISC IT 管理知悉安全信任原則違反或其他重大問題。
Policies and Standard Operating Procedures are established and articulated by management. 政策和標準作業程序由管理層建立和闡明。
FISC has an Incident Response process and breach protocol. FISC 擁有事件應變程序和違規協議。
FISC has documented established roles and responsibilities based on functional discipline within the company. The organizational structure, with defined reporting authority, is also documented and posted internally, including those involved with the security trust principles. FISC 已根據公司內的功能性學科確立了角色和責任。組織結構具有明確的報告權威,也已在內部進行了記錄和張貼,包括與安全信任原則有關的人員。
The number of people and necessary skills needed in the IT department is periodically assessed by management. IT 部門所需的人數和必要技能由管理層定期評估。
A mechanism is in place so that deficiencies in internal control are communicated to appropriate management personnel. 已建立機制,以便將內部控制的缺陷通報給適當的管理人員。
Authority and Responsibility 權力和責任
Management's description of key security trust principal position's responsibilities and authorities is reviewed by those charged with governance (or the Board). 管理對關鍵安全信任主要職位的責任和權限的描述由負責治理的人(或董事會)審查。
Human Resources Policies 人力資源政策
and Procedures
Description at FISC 財政情況描述
With respect to security trust principal areas, there is assignment of responsibility and authority for decision making. 就安全信任主要領域而言,負責和權力的分配負責決策。
Limitations are placed on the assignment of authority and responsibility. 對權力和責任的分配設有限制。
Human resources policies and practices are available on the FISC Corporate intranet and are updated on a periodic basis. 人力資源政策和實踐可在 FISC 企業內部網絡上找到,並定期更新。
For the position related to security trust principle, management conducts background investigations and performs reference checks prior to hiring. It includes criminal background search, past employment verification, education verification. 對於與安全信任原則相關的職位,管理層在招聘前進行背景調查和參考檢查。這包括刑事背景搜索、過去就業驗證、教育驗證。
Background checks are also performed for positions with high-level responsibility. 對於負有高級責任的職位也進行背景檢查。
To promote ethical behavior in the organization, training and awareness programs are provided. 為了促進組織中的道德行為,提供培訓和意識計劃。
Periodic performance reviews and appraisals are done for all personnel, and the results are well documented. 對所有人員進行定期績效評估和考核,並對結果進行詳細記錄。
Training is provided within FISC from a variety of sources. Management develops and conducts training on their systems, processes and procedures, and to provide specifically identified skills and knowledge to their workforce. Management also sends individual employees to training conducted externally by various organizations. 在 FISC 內部提供來自各種來源的培訓。管理層開發並進行有關系統、流程和程序的培訓,並為員工提供特定技能和知識。管理層還將個別員工派往外部組織進行的培訓。
Exit interviews are performed, including inquiries about concerns related to integrity and ethical values, and internal control. 進行離職訪談,包括詢問與誠信、道德價值觀和內部控制相關的問題。
Risk Assessment assessment is used to drive the activities of the internal control function. 風險評估評估用於推動內部控制功能的活動。
Business plans are created each year that establish priorities and allocates resources to address those priorities 每年制定業務計劃,確立優先事項並分配資源以應對這些優先事項。
IT plans are created each year that establish priorities and allocate resources to address those priorities. 每年都會制定 IT 計劃,確立優先事項並分配資源來解決這些優先事項。
An incident investigation and remediation system exist that includes a tracking mechanism that allows management to report on material fraud events. 存在一個事故調查和補救系統,其中包括一個跟踪機制,允許管理層報告重大欺詐事件。
Information and 資訊和
Communication 溝通
The organization periodically assesses the sufficiency of FBIS information systems to capture and report data that are timely, current, accurate, and accessible. 組織定期評估 FBIS 信息系統的充分性,以捕捉和報告及時、當前、準確和可訪問的數據。
Information about the entity's security trust principal objectives, internal control policies and procedures, and related individual responsibilities are communicated via e-mail, NOTES billboards, MS SharePoint, etc. to reinforce the entity's commitment to internal control. 有關實體安全信任主要目標、內部控制政策和程序以及相關個人責任的信息通過電子郵件、NOTES 公告板、MS SharePoint 等途徑進行傳達,以加強實體對內部控制的承諾。
FISC corporate intranet site or other communication tool exists for disseminating information, including information about internal control around the security trust principles. FISC 公司內部網站或其他溝通工具用於傳播信息,包括有關安全信任原則周圍的內部控制信息。
Instructions on how to access and submit a matter using the entity's whistle-blower program is available. 提供如何訪問並提交事項使用實體舉報計劃的說明。
Findings of the external auditor, along with management's proposed resolutions, are addressed with those charged with governance. 外部審計師的發現以及管理層提出的解決方案與負責治理的人士討論。
The organization periodically assesses the sufficiency of FBIS systems to capture and report data that are timely, current, accurate, and accessible. 組織定期評估 FBIS 系統的充分性,以捕捉和報告及時、準確且可存取的數據。
Information about the entity's security trust principal objectives, internal control policies and procedures, and related individual responsibilities are communicated via e-mail, NOTES billboard, MS SharePoint, etc. to reinforce the entity's commitment to internal control. 有關實體安全信任主要目標、內部控制政策和程序,以及相關個人責任的信息通過電子郵件、NOTES 公告板、MS SharePoint 等途徑進行傳達,以加強實體對內部控制的承諾。
FISC corporate intranet site or other communication tool exists for disseminating information, including information about internal control around the security trust principles. FISC 公司內部網站或其他通訊工具用於傳播信息,包括有關安全信任原則周圍的內部控制信息。
Instructions on how to access and submit a matter using the entity's whistle-blower program is generally available. 通常可以獲得有關如何存取和提交事項使用實體舉報計劃的說明。
Information regarding the whistle-blower program is made available to external parties. 有關舉報計劃的資訊向外部方提供。
Findings of the external auditor, along with management's proposed resolutions, are addressed with those charged with governance. 外部稽核師的發現以及管理層提出的解決方案將與治理機構討論。
Security and Availability Incident Communication 安全和可用性事件通訊
The company's main communication channel is the official document. Others are handled in compliance with laws and regulations. For example, the Information Security Management Law reports information about security incidents in accordance with" Notification and Handling Guidelines for Abnormal Incidents." The contact person and procedure when incident occurs are stated, and other countermeasures. During the period, there was no security incident and no system failure occurred. 公司的主要通訊渠道是官方文件。其他事項則根據法律法規處理。例如,根據《信息安全管理法》的《異常事件通報與處理指南》,報告安全事件的信息。當事件發生時,會說明聯絡人和程序,以及其他對策。在此期間,沒有發生安全事件,也沒有系統故障發生。
Trust Criteria and Related Control Activities 信任標準和相關控制活動
FISC's related controls and mapping to applicable criteria are included in section 4 of this report, 'Trust Services Category, Criteria, Related Controls, and Tests of Controls," to eliminate the redundancy that would result from listing them in this section and repeating them in section 4. Although the related controls and mapping to applicable criteria are included in section 4 of this report, they are, nevertheless, an integral part of FISC's description of the system. 本報告第 4 節包含 FISC 相關控制措施及映射到適用標準的內容,“信任服務類別、標準、相關控制措施和控制測試”,以消除在本節中列出並在第 4 節中重複列出將導致的冗余。儘管相關控制措施及映射到適用標準包含在本報告第 4 節中,但它們仍然是 FISC 系統描述的一部分。
Changes to the System during the Period 期間系統變更
Besides, to follow organizational adjustments and the implementation of division of labor, the Information Security Department of FISC is established after approval from the 4th meeting of the 9th board of directors. Information Security Department is responsible for organizing information security-related management operations. It is mainly responsible for information security policies and compliance matters, Establishment, promotion and maintenance of information security management system, collection and analysis of threat intelligence, and other information security management matters. 此外,為了遵循組織調整和分工實施,經第 9 屆董事會第 4 次會議批准後,FISC 信息安全部成立。信息安全部負責組織信息安全相關管理運作。主要負責信息安全政策和合規事項,信息安全管理系統的建立、推廣和維護,威脅情報的收集和分析,以及其他信息安全管理事項。
SECTION 4 - 第 4 節 -
TRUST SERVICES CATEGORY, CRITERIA, RELATED CONTROLS, AND TESTS OF CONTROLS 信託服務類別、標準、相關控制和控制測試
Applicable Trust Services Criteria Relevant to Security 適用於安全相關的信託服務標準
The trust services criteria relevant to security address the need for information and systems to be protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, processing Integrity and confidentiality of information or systems and affect the service organization's ability to achieve its service commitments and system requirements. 有關安全的信任服務標準涉及保護信息和系統免受未經授權的訪問、未經授權的信息披露和可能危害信息或系統的系統損壞,這可能危及信息或系統的可用性、處理完整性和機密性,並影響服務組織實現其服務承諾和系統要求的能力。
Security refers to the protection of 安全是指保護
i. Information during its collection or creation, use, processing, transmission, and storage and. i. 在收集或創建、使用、處理、傳輸和存儲信息期間的信息。
ii. Systems that use electronic information to process, transmit or transfer, and store information to enable the achievement of FISC's service commitments and system requirements. Controls over security prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorized removal of information or system resources, misuse of software, and improper access to or use of, alteration, destruction, or disclosure of information. ii. 使用電子信息來處理、傳輸或轉移、並存儲信息,以實現 FISC 的服務承諾和系統要求的系統。對安全的控制可以防止或檢測職責分離的破壞和規避、系統故障、處理不正確、信息或系統資源的盜竊或其他未經授權的移除、軟件的濫用、以及對信息的不當訪問或使用、修改、破壞或披露。
Control Environment 控制環境
Trust Services Criteria for the Security 安全的信任服務標準
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織控制
Service Auditor's Tests of Controls 服務審計師對控制測試
Results of Service 服務結果
Auditor's Tests of 審計師對
Controls
CC1.1
COSO Principle 1: The COSO 原則 1:實體展示了
entity demonstrates a 實體展示了
commitment to integrity 致力於誠信
and ethical values. 和道德價值。
The organization has established the 该组织已建立了
"Management System Standard" and the "管理系統標準"和
"Work Rules" which state the guidance of "工作規則"規定了
directives, actions, and behavior the 指導、行動和行為
importance of integrity and ethical values 誠信和道德價值觀的重要性
to support the functioning of the system 支持系統的運作
of internal control. 內部控制的功能。
Inspected the latest documentation named 審查了 2023 年 4 月 25 日由總經理批准的最新文件,名為
"Management System Standard," approved by the "管理系統標準",並
General Manager on April 25th, 2023, and "Work "工作
Rules," approved by the General Manager on 規則,“經總經理於
December 1st, 2023. We confirmed that FISC's 2023 年 12 月 1 日批准。我們確認 FISC 的
values of integrity and ethics are regulated and 誠信和道德價值受到規範並
communicated.
No exceptions noted. 未發現任何例外情況。
Trust Services Criteria for the Security 用於安全的信任服務標準
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
Service Auditor's Tests of Controls 服務審計師對控制測試
Results of Service 服務的結果
Auditor's Tests of 審計師的測試
Controls
The organization defines behaviors 組織界定行為
related to the expectations of integrity 與誠信期望相關
and ethical values in documents such as 以及倫理價值在文件中
the "Work Rules", the "Labor Contract" 工作規則"、"勞動合同
and the "Declaration of Interests 以及"利益聲明"
Avoidance".
Inspected the latest documentation, including the 審查了最新文件,包括
-WorkRules' signed by the General Managerand -由總經理簽署的“工作規則”
renewed on December 1st, 2023, the 'Sevvice 於 2023 年 12 月 1 日續簽,名為“服務協議/雇傭合同”
Agreement/Employmerit Contract for Reserve 保留
Personnel,' the 'Declaration of Interests Avoidance," 人事,“利益冲突声明”,
and the 'Undertaking.' Confirmed that FISC's 以及“承诺”。确认 FISC 的
behaviors related to the expectations of integrity 行为符合诚信期望
and ethical values are regulated and 道德價值受到規範和
communicated.
inspected a selection of new employees, all of them 檢查了一些新員工,他們全部
have signed the Service Agreemenl/Employment 已簽署了服務協議/僱傭
Contract for Reserve Personnel, the Declaration of 預備人員合同,聲明
Interests Avoidance and the Undertaking. 利益避免和承諾。
No exceptions noted. 未發現任何例外。
The organization has established "Work 该组织已建立了与
Rules' and regulations related to the 年度综合绩效相关的“工作
annual comprehensive performance 规章制度
assessment ot employees. These 員工評估。這些
regulations govern the performance 規定管理著表現
processes for individuals and teams, as 個人和團隊的流程,以
well sa the corresponding reward and 以及相應的獎勵和
penalty systems. 懲罰制度。
Inspected the latest documentation named "Work 檢查了名為“工作”的最新文件。
Rules", the "Working Guidelines for Employee "規則",員工工作指南
Trust Services Criteria for the Security 安全的信任服務標準
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織控制
Service Auditor's Tests of Controls 服務審計師對控制測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
CC9.1
The entity identifies, 實體識別、
selects, and develops 選擇和開發
risk mitigation activities 風險緩解活動
for risks arising from 針對由於風險而產生的
potential business 潛在業務
disruptions,
The entity has established the 'Incident 實體已建立了“事件
Reporting and Handling Standard' which 報告和處理標準”,
standardizes mechanisms for reporting 標準化了報告机制
and handling incidents. 處理事件。
Inspected the latest documentation named 'Incident 檢查最新的名為“事件報告和處理標準”的文件,
Reporting and Handling Standard,' signed by the 簽署者為
General Manager on August 29 th, 2023, and 於 2023 年 8 月 29 日確認,總經理
confirmed that the organization has established an 確認組織已建立
incident reporting process, a contingency handling 事件報告流程,應變措施
policy, and an 'Emergency Incident Response 政策,以及“緊急事件應變
Team."
No exceptions noted 未發現任何例外
The organization conducts regular 該組織定期進行
disaster recovery drills. Additionally, the 災難恢復演習。此外,
organization periodically performs 組織定期執行
Business Impact Analysis (BIA) based on 基於業務影響分析(BIA)
operational and business risksto 基於運營和業務風險進行
establish Recovery Time Objectives 建立恢復時間目標
(RTO) and Recovery Point Objectives (RTO)和恢復點目標
(RPO).
Inspected some samples of the "Disaster Recovery 檢查了一些“災難恢復”
Drill Report" and confirmed that the organization "鑽孔報告"並確認組織
regularly conducts disaster recovery drills for FBIS. 定期為 FBIS 進行災難恢復演練。
Additionally, inspected some samples of the 此外,檢查了一些樣本。
"Business Impact Analysis Records" and confirmed 「業務影響分析記錄」,並確認
that the organization periodically performs business 組織定期進行業務
operations analysis based on operational and ,確定恢復時間
business risks, establishing Recovery Time
Objectives (RTO) and Recovery Point Objectives 目標(RTO)和恢復點目標
(RPO).
No exceptions noted 未發現任何例外
Trust Services Criteria for the Security 安全的信任服務標準
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織控制
Service Auditor's Tests of Controls 服務審計師對控制測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
requirements, other requirements, the outsourcing 要求,其他要求,外包
supplier's information security management 供應商的資訊安全管理
requirements, and information security requirements 要求,以及資訊安全要求
for outsourced information operations. 針對外包的資訊運營。
The organization has established the 該組織已建立了
'Measures for the Supervision and '供應商監督和管理措施'
Administration of Vendors' outlining '大綱'
specific requirements for vendor and '供應商具體要求'
business partner engagement. These 業務夥伴參與。這些
requirements include the security 要求包括安全
requirements.
Inspected the latest documentation named 檢查了最新的名為文件
'Measures for the Supervision and Administration of '《供應商監督管理辦法》已於 2023 年 6 月 29 日由總經理簽署,並確認該組織已經'
Vendors,' signed by the General Manager on June 簽署。'
29th, 2023, and confirmed that the organization has
established security requirements for vendors and 為供應商和業務夥伴建立安全要求。
business partners. 檢查與供應商簽訂的合同。
Inspected a contract signed with a vendor on
December 19th, 2022, and confirmed that the 2022 年 12 月 19 日,並確認合同包括對供應商的要求
contract includes requirements for the vendor to 遵守特定的傳輸協議並使用
adhere to specific transmission protocols and use
designated encryption algorithms. 指定的加密算法。
inspected the "Summary Table of Information 檢查了“信息摘要表”
Security Incident Alerts' and confirmed that the 安全事件警報'並確認
organization did not identif vulnerabilities caused 組織在審計期間未識別由供應商引起的漏洞。
by vendors during the audit period. 信任服務標準的安全性準則。
No exceptions noted. 未發現任何異常。
Trust Services Criteria for the Security 供應商在審計期間未識別由供應商引起的漏洞。
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織控制
of
Service Auditor's Tests of Controls 服務審計師對控制測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
The organization has established the 該組織已建立了
'Measures for the Supervision and '供應商監督和管理措施,'
Administration of Vendors,' outlining '概述了'
specific requirements for vendor and '供應商和'
business partner engagement. These 業務夥伴參與。這些
requirements include the regular 要求包括定期
assessment of risk and performance for 風險和績效評估以及
vendors and business partners. 供應商和商業夥伴。
Inspected the latest documentation named 檢查了最新的文件,名為
'Measures for Ihe Supervision and Administration of 《監督管理措施
Vendors,' signed by the General Manager on June 供應商,由總經理於 2023 年 6 月 29 日簽署,並確認組織已建立對定期要求
29th. 2023, and confirmed that Ihe organization has
established requirements for the regular
assessment of risk and performance for both 風險和績效評估,適用於供應商和商業夥伴。
vendors and business partners." 檢查了一些“供應商評估”的樣本。
Inspected some samples of the 'Vendor Evaluation'
document, it was known that the organization 根據文件,已知該組織
conducts regular risk and performance assessments 定期進行風險和績效評估
for vendors and business partners, including those 針對供應商和商業夥伴,包括那些
associated with the Financial Blockchain Information 與金融區塊鏈信息相關
System (FBIS). 系統(FBIS)。
No exceptions noted 未發現任何例外
The organization has established the 該組織已建立了
'Measures for the Supervision and 監管和
Administration of Vendors,' outlining 供應商管理,概述
specific requirements for vendor and 供應商和
business partner engagement. These 業務夥伴參與的具體要求。這些
requirements include the assigns 要求包括分配
responsibility and accountability for the 負責和承擔
management of risks associated with 與風險管理相關聯的责任
vendors and business partners. 供應商和商業夥伴。
Inspected the latest documentation named 檢查了最新的文件名為
'Measures for (he Supervision and Administration of 《監督管理措施》
Vendors,' signed by the General Manager on June 供應商,由總經理於 2023 年 6 月 29 日簽署,
29th, 2023, and confirmed that Ihe organization has 並確認該組織已建立包括指派在內的要求
established requirements that include assigning 要求
responsibility and accountability for the 負責和承擔與供應商和業務夥伴相關的風險管理
management of risks associated with vendors and
business partners, 負責和承擔與供應商和業務夥伴相關的風險管理
Inspected a contract signed with a vendor on 審查了與供應商簽署的合同
December 19th, 2022, and confirmed that the 於 2022 年 12 月 19 日,並確認內容包括有關所有權的細節
content includes details about the ownership of the
contracl subject and the procedures for handling 合同主題和處理程序
force majeure events, such as natural disasters or 不可抗力事件,如自然災害或
unforeseen circumstances. 不可預見的情況。
No exceptions 無例外
confirmed,
Applicable Trust Services Criteria for the Availability 適用於可用性的信任服務標準
The trust services criteria for the availability address the need for information and systems are available for operation and use to meet the entity's objectives. Availability refers to the accessibility of information used by the entity's systems as well as the products or services provided to its customers. The availability objective does not, in itself, set a minimum acceptable performance level; it does not address system functionality (the specific functions a system performs) or usability (the ability of users to apply system functions to the performance of specific tasks or problems). However, it does address whether systems include controls to support accessibility for operation, monitoring, and maintenance. 可用性的信任服務標準涉及信息和系統可供操作和使用,以滿足實體的目標的需求。可用性是指實體系統使用的信息以及提供給客戶的產品或服務的可訪問性。可用性目標本身並未設定最低可接受的性能水平;它不涉及系統功能(系統執行的具體功能)或可用性(用戶應用系統功能來執行特定任務或問題的能力)。但是,它確實涉及系統是否包括支持操作、監控和維護的可訪問性的控制。
Additional Criteria to Availability 可用性的附加標準
Trust Services Criteria for the Availability 可用性的信任服務標準
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織控制
Service Auditor's Tests of Controls 服務審計師對控制測試
Results of Service 服務結果
Auditor's Tests of 審計師對
mechanical facilities in response to 機械設施的測試以回應
environmental threats. 環境威脅。
The organization has established the 该组织已建立了
"Abnormal accident reporting and "异常事故报告和
handling standard", which states that "處理標準",指出組織應建立一個
the organization should establish a 健全的機制來處理
sound mechanism for handling
abnormal accidents and set up an 異常事故和設立一個
"emergency handling team". "應急處置小組"。
damage, and infectious diseases. Chapter 4 損害,和傳染病。第四章
outlines the response process for aboormal 概述了異常事件的響應流程
incidents and Chapter 5 further specifies preventive 以及第 5 章進一步指定了預防措施
procedures for abnormal incidents and detailed 用於異常事件的程序和詳細說明
procedures for responding to various abnormal 回應各種異常情況的程序
incidents.
Inspected the "Various Environmental Facility 檢查了“各種環境設施
Maintenance Records," it is confirmed that the 維護記錄”,確認
a. Generation of backup files on the source host. a. 在來源主機上生成備份文件。
b. Transmission of files from the source host to the b. 從來源主機傳輸文件
main center backup system according to the backup 到主中心備份系統,根據備份
schedule.
c. Automatic copying of files from the main center c. 自動從主中心複製文件
backup system to the offsite backup system. 備份系統到離站備份系統。
Inspected the FBIS system backup configuration 檢查了 FBIS 系統備份配置
and confirmed that the system automatically 並確認系統自動
executes daily backups, syncing them with the 每天執行備份,並將其與台中的備份中心同步。
backup center in Taichung. After the system 系統備份後,將自動發送電子郵件通知。
backup, an automatic email notification is
dispatched to the system administrators, ensuring 分派給系統管理員,確保
the smooth operation of the backup mechanism. 備份機制的順利運作。
Inspected some samples of the "Disaster Recovery 檢查了一些“災難恢復”
Drill Report" and confirmed that the organization "鑽孔報告"並確認組織
regularly conducts disaster recovery grills for FBIS. 定期進行 FBIS 的災難恢復演練。
Additionally, inspected some samples of the 此外,檢查了一些樣本。
"Business Impact Analysis Records' and confirmed "業務影響分析記錄'並確認
that the organization periodically performs business 組織定期進行業務
Applicable Trust Services Criteria for the Confidentiality 機密性的適用信任服務標準
The trust services criteria for the confidentiality address the need for information designated as confidential is protected to meet the entity's objectives. Confidentiality addresses the entity's ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity's control in accordance with management's objectives. Information is confidential if the custodian (for example, an entity that holds or stores information) of the information is required to limit its access, use, and retention and restrict its disclosure to defined parties (including those who may otherwise have authorized access within its system boundaries). Confidentiality requirements may be contained in laws or regulations or in contracts or agreements that contain commitments made to customers or others. The need for information to be confidential may arise for many different reasons. For example, the information may be proprietary, intended only for entity personnel. Confidentiality is distinguished from privacy in that privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information. In addition, the privacy objective addresses requirements regarding collection, use, retention, disclosure, and disposal of personal information. Confidential information may include personal information as well as other information, such as trade secrets and intellectual property. 信任服務標準的機密性準則涉及對指定為機密的信息進行保護,以滿足實體的目標。機密性涉及實體保護被指定為機密的信息,從其收集或創建開始,直至根據管理目標從實體控制中移除。如果信息的保管人(例如,持有或存儲信息的實體)需要限制其訪問、使用和保留,並將其披露限制在已定義的各方(包括那些在其系統範圍內可能有授權訪問權限的人)之內,則該信息是機密的。機密性要求可能包含在法律或法規中,也可能包含在向客戶或其他人作出的承諾的合同或協議中。信息需要保持機密可能出於許多不同的原因。例如,該信息可能是專有的,僅供實體人員使用。 機密性與隱私有所區別,隱私僅適用於個人信息,而機密性則適用於各種類型的敏感信息。此外,隱私目標涉及有關個人信息的收集、使用、保留、披露和處置的要求。機密信息可能包括個人信息以及其他信息,如商業秘密和知識產權。
Additional Criteria to Confidentiality 保密的附加標準
Trust Services Criteria for the 信任服務標準对
Confidentiality Category 機密性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織控制
Service Auditor's Tests of Controls 服務審計師對控制測試
Results of Service 服務結果
Auditor's Tests of 審計師對
Controls
C1.1
The entity identifies and 實體識別並
maintains confidential 保持機密
information to meet the 資訊以滿足
entity's objectives related 實體的相關目標
to confidentiality. 保密。
The Organization has established a 本組織已建立了一個
"Financial Information System Change "財務信息系統更改
Management Procedure" which states "管理程序"規定
that confidential information shall not be 機密信息不得
displayed, or relevant records shall be 顯示,或相關記錄應該
kept in clear code. 保存在清晰的代碼中。
The organization has established the 该组织已建立了
"Application Development Safety Work "應用程式開發安全工作
Manual", which prohibits the writing of "手冊",禁止將機密信息寫入
confidential information into the 程式中,透過系統設計。
program by system design. 來防止。
The organization has established the 该组织已建立了
Financial Blockchain Confirmation 金融區塊鏈確認
System Response Unit Connection 系統回應單元連接
Specification" and the "Financial "規範"和"財務
Blockchain Confirmation System 區塊鏈確認系統
Verification Unit Connection 驗證單元連接
Specification" to identify the designated 用於識別指定的“規範”
confidential information received or 收到或檢查的機密信息
created,
inspected the documentation named "Financial 名為“財務”的文件
Information System Change Management 資訊系統變更管理
Procedure" 5.10, it is regulated that sensitive data 程序" 5.10 規定敏感數據
such as passwords and key codes must not be 如密碼和密鑰代碼不得
displayed or stored in plain text in any documents, 在任何文件、流程或與更改相關的日誌文件中以純文本形式顯示或存儲
processes, or log files related to the change 檢查名為"應用程式"的文件
Inspected the documentation named "Application 檢查名為"應用程式"
System Development Security Operation Manual" 系統開發安全操作手冊
Chapter 1, specific regulations about confidentiality 第一章,有關保密的具體規定
have been established, such as the application 已經建立,例如應用
system must not embed user codes (II), 系統不得將使用者代碼(II)、
passwords, or other personally identifiable 密碼或其他可識別個人身份的資訊嵌入程式模組中。如果使用者
information into program modules. If user
passwords are stored in data files, they should 密碼存儲在數據文件中時,它們應該
undergo obfuscation, and password transmission 經過混淆,並且密碼傳輸
processes must be encrypted for protection. Also, 過程必須加密以保護。此外,
application fields displaying personal data should be 應基於“最小權限”原則對顯示個人數據的應用領域進行遮蔽
masked based on the principle of "least pnvilege" (需要知道)。如果顯示超過兩列
(neeed-to-know). If displaying more than two columns
of personal data is required for operational 運營需要個人數據
purposes, a log of personal data access should be 存取個人數據的日誌應保留
retained, and the file name should be ,並應保留文件名
"AP_Function_Name_AUDIT_LOG." AP 功能名稱_AUDIT_LOG。
Inspected the documentation named "Financial 檢查名為"財務
Blockchain Certificate System Response Unit 區塊鏈證書系統回應單位
Connection Specification" and Financial Blockchain 連接規範"和金融區塊鏈
Certificate System Audit Unit Connection 證書系統審核單位連接
Specification," it is noted that both documents 規範,"應注意到這兩份文件
No exceptions noted. 未發現任何例外情況。
Trust Services Criteria for the 信任服務標準
Confidentiality Category 機密性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織控制
Service Auditor's Tests of Controls 服務審計師對控制測試
Results of Service 服務結果
Auditor's Tests of 審計師對
Controls
specify the use of the HTTPS communication 指定使用 HTTPS 通信
protocol for the connection between the 協議來連接
audit/response unit systems and the local system 審計/回應單位系統和本地系統
(FBIS). Additionally, encryption specifications are (FBIS)。此外,加密規格定義在“回應”第 5.5 和 5.6 節中
defined in sections 5.5 and 5.6 of the "Response
Unit Connection Specification" and sections 4.5 and 單元連接規範"和第 4.5 和
4.6 of the "Audit Unit Connection Specification The 4.6 的"審計單元連接規範
encryption method is based on JSON Web 加密方法基於 JSON Web
such as AES and HMAC. Therefore, FISC does not 如 AES 和 HMAC。因此,FISC 不
possess the keys to decrypt the encryption 擁有解密加密的金鑰
certificates of the audit and response units, and 審計和回應單位的證書,以及
there is no storage of plaintext sensitive data within 不存儲明文敏感數據
FBIS.
Inspected the "Database Encryption Setting," it is 審查了“數據庫加密設置”,確認 FBIS 內的數據已加密。
confirmed that data within FBIS is encrypted. 處理完整性的適用信任服務準則
Applicable Trust Services Criteria for the Processing Integrity
The trust services criteria for the Processing Integrity address the need for system processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation. Because of the number of systems used by an entity, processing integrity is usually only addressed at the system or functional level of an entity. In a SOC for Supply Chain examination, processing integrity refers to whether processing is complete, valid, accurate, timely, and authorized to produce, manufacture, or distribute goods that meet the products' specifications. 處理完整性的信任服務標準涵蓋系統處理需完整、有效、準確、及時且經授權,以滿足實體的目標。處理完整性指系統處理的完整性、有效性、準確性、及時性和授權性。處理完整性涉及系統是否實現其存在的目的或目標,以及它們是否以無誤差、延遲、遺漏、未經授權或非故意操縱的方式執行其預期功能。由於實體使用的系統數量眾多,處理完整性通常僅在實體的系統或功能層面上進行。在供應鏈的 SOC 審查中,處理完整性指處理是否完整、有效、準確、及時且經授權,以生產、製造或分發符合產品規格的商品。
Additional Criteria for Processing Integrity 處理完整性的附加標準
Trust Services Criteria for the Processing 處理的信任服務標準
Integrity Category 完整性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織控制
Service Auditor's Tests of Controls 服務審計師對控制測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
Pl1.1 {f45c998bd-ad1a-43b3-9f33-905210a6ac52}
0
The entity obtains or 實體獲取或
generates, uses, and 生成,使用和
communicates relevant, 傳達相關的,
quality information 優質資訊
regarding the objectives 有關目標
related to processing, 與處理相關,
including definitions of data 包括數據定義
processed and product and 處理和產品以及
service specifications, to 服務規格,以
support the use of products 支持產品和服務的使用。
and services. 。
The organization has established the 組織已建立
"Financial Blockchain Confirmation "財務區塊鏈確認
System Response Unit Connection 系統回應單元連接
Specification" and the "Financial 規格" 和 "財務
Blockchain Confirmation System 區塊鏈確認系統
Verification Unit Connection 驗證單元連接
Specification", which specify the 規範",其中指定
functional and non-functional 功能性和非功能性
requirements related to system 與系統相關的需求
processing and the specification 處理和規範
information required to support the use 支持使用所需的信息
of products and services. 產品和服務的使用。
ii
Inspected the documentation named "Financial 檢查名為“財務”
Blockchain Certificate System Response Unit 區塊鏈證書系統回應單元
Connection Specification" and "Financial Blockchain 連接規範"和"金融區塊鏈
Certificate System Audit Unit Connection 證書系統審計單元連接
Specification," it is known that both documents 根據規範,已知這兩份文件
provide detailed specifications for the required service 提供所需服務的詳細規範
usage information within Ihe FBIS in Chapters 2 and 第 2 章和第 3 章中提供了 Ihe FBIS 內的使用信息
3.
No exceptions noted. 未發現任何例外情況。
Trust Services Criteria for the Processing 處理的信任服務準則
Integrity Category 完整性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織控制
Service Auditor's Tests of Controls 服務審計師對控制測試
Results of Service 服務結果
Auditor's Tests of 審計師對
Controls
PM. 2
The entity implements 實體實施
policies and procedures 政策和程序
over system inputs, 通過系統輸入,
including controls over 包括對控制的控制
completeness and 完整性和
accuracy, to result in 準確性,以結果為導向
products, services, and 產品、服務和
reporting to meet the 報告以滿足
entity's objectives 實體的目標
The organization has established the 這個組織已建立了
"Financial Blockchain Confirmation "金融區塊鏈確認
System Response Unit Connection 系統回應單元連接
Specification" and the "Financial 規格" 和 "財務
Blockchain Confirmation System 區塊鏈確認系統
Verification Unit Connection 驗證單元連接
Specification", which states the 規格",其中規定了
characteristics of data input. 資料輸入的特性。
FBIS has set the maximum input FBIS 已設置了最大輸入
character length and certain fields 字符長度和某些字段
cannot be empty. 不能為空。
The organization has kept FBIS user 該組織已保存了 FBIS 用戶
operation records. 操作記錄。
Inspected the documentation named "Financial 檢查了名為“財務”
Blockchain Certificate System Response Unit 區塊鏈證書系統回應單元
Connection Specification" and "Financial Blockchain 連接規範"和"金融區塊鏈
Certificate System Audit Unit Connection 證書系統審計單元連接
Specification," it is noted that both documents define 根據規範,應注意到這兩份文件都定義了
the characteristics of "input processing" in section 在第部分中“輸入處理”的特徵
2,3.1,
Inspected the "Data Input Error Prevention Testing," it 檢查了“數據輸入錯誤預防測試”,
is confirmed that FBIS has set the maximum input 已確認 FBIS 設置了最大輸入
character length and specified that certain fields 字符長度並指定了某些字段
cannot be left empty. If the input charactenstics are 不能留空。如果輸入特性是
not met. Ihe system will display a warning window. 未達到。系統將顯示警告視窗。
Inspected the "FBIS System User Operation Log." it is 檢查了“FBIS 系統使用者操作日誌”。確認
confirmed that FBIS has a complete record of user FBIS 有完整的使用者記錄。
operations, including input, queries, exports, etc. 操作,包括輸入、查詢、導出等。
No exceptions noted. 未發現任何異常。
PH. 3
The entity implements 實體實施
policies and procedures 政策和程序
over system processing to 超過系統處理
result in products, services, 產品、服務的結果
and reporting to meet the 並報告以滿足
entity's objectives. 實體的目標。
The organization has established the 組織已建立
"Financial Blockchain Confirmation "財務區塊鏈確認
System Response Unit Connection 系統回應單元連接
Specification" and the "Financial 規格" 和 "財務
Blockchain Confirmation System 區塊鏈確認系統
Verification Unit Connection 驗證單元連接
Specification", which defined the 規範",其中定義了
specifications for data processing. 數據處理的規範。
The organization has kept FBIS user 該組織已保存了 FBIS 用戶
operation records and can monitor user 操作記錄並可以監控用戶
operations promptly. 迅速進行操作。
Inspected the documentation named "Financial 檢查名為“財務”文件
Blockchain Certificate System Response Unit 區塊鏈證書系統回應單元
Connection Specification" and "Financial Blockchain 連接規範"和"金融區塊鏈
Certificate System Audit Unit Connection 證書系統審核單位連接
Specification." it is noted that both documents provide 規範。值得注意的是,這兩份文件都提供
detailed specifications on the required information and 所需信息和 FBIS 內部數據處理流程的詳細規格
the data processing flow within the FBIS in Chapters 2 在第 2 章中的 FBIS 內部數據處理流程
and 3.
Inspected the "FBIS System User Operation Log," it is 檢查了“FBIS 系統用戶操作日誌”,发现
confirmed that FBIS has a complete record of user 確認 FBIS 擁有完整的用戶記錄
operations, including input, queries, exports, etc., and 包括輸入、查詢、導出等操作
the system allows real-time monitoring of user 系統允許對用戶進行實時監控
activities.
No exceptions noted. 未發現任何例外情況。
Trust Services Criteria for the Processing 處理的信任服務準則
Integrity Category 完整性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織控制
Service Auditor's Tests of Controls 服務審計師對控制測試
Results of Service 服務結果
Auditor's Tests of 審計師對
Controls
Pl14
The entity implements 實體實施
policies and procedures to 政策和程序進行
make available or deliver 提供或交付
output completely, 完全輸出
accurately, and timely in 準確且及時地输出
accordance with 根據
specifications to meet the 規格以滿足
entity's objectives. 實體的目標。
The organization has established the 该组织已建立
"Financial Blockchain Confirmation "金融區塊鏈確認
System Response Unit Connection 系統回應單元連接
Specification' and the "Financial 規範'和"財務
Blockhain Confirmation System 區塊鏈確認系統
Verification Unit Connection 驗證單元連接
Specification", which states the "規範",其中規定了
characteristics of data output. 數據輸出的特徵。
The organization has kept FBIS user 組織一直保留著 FBIS 用戶
operation records. 操作記錄。
Inspected the documentation named "Financial 檢查名為“財務
Blockchain Certificate System Response Unit 區塊鏈證書系統響應單元
Connection Specification" and "Financial Blockchain "連接規範"和"金融區塊鏈
Certificate System Audit Unit Connection 證書系統審計單位連接
Specification," it is noted that both documents define 規範",值得注意的是,這兩份文件都定義
the characteristics of "output processing' in section 在“輸出處理”部分的特點
2 3.3.
Inspected the "FBIS System User Operation Log," it is 檢查了“FBIS 系統用戶操作日誌”,確認
confirmed that FBIS has a complete record of user FBIS 有完整的用戶記錄
operations, including input, queries, exports, etc. 操作,包括輸入、查詢、導出等。
No exceptions noted. 未發現任何異常。
PH. 5
The entity implements 實體實施
policies and procedures to 政策和程序以
store inputs, items in 存儲輸入,項目在
processing, and outputs 處理和輸出
completely, accurately, and 完全、準確且
timely in accordance with 及時地按照
system specifications to 系統規格進行
meet the entity's 遇見實體的
objectives.
The organization has established the 這個組織已建立了
"Financial Blockchain Confirmation "金融區塊鏈確認
System Response Unit Connection 系統回應單元連接
Specification' and the "Financial 規格"和"財務
Blockchain Confirmation System 區塊鏈確認系統
Verification Unit Connection 驗證單元連接
Specification", which states the storage 規格",規定了存儲
and integrity of data. 和數據的完整性。
The organization has kept FBIS user 該組織已保存了 FBIS 用戶
operation records. 操作記錄。
The organization has established the 該組織已建立了
"Open Hosts SQL Server databases "打開主機 SQL Server 資料庫
Routine Maintenance Instructions' 常規維護說明'
which states that database restoration 聲明資料庫還原
drills should be conducted regularly. 應定期進行演練。
Inspected the documentation named "Financial 檢查名為「財務」的文件
Blockchain Certificate System Response Unit 區塊鏈證書系統回應單位
Connection Specification" and "Financial Blockchain "連接規範"和"金融區塊鏈
Certificate System Audit Unit Connection 證書系統審計單位連接
Specification," it is known that both documents 規範",可以知道這兩份文件
provide detailed specifications for the required service 為所需服務提供詳細規格
usage information and data process procedures within 使用信息和數據處理程序內
the FBIS in Chapters 2 and 3. 在第 2 章和第 3 章的 FBIS 中。
Inspected the "FBIS System User Operation Log," it is 審查了“FBIS 系統使用者操作日誌”,確認 FBIS 有完整的使用者操作記錄
confirmed that FBIS has a complete record of user 包括輸入、查詢、匯出等操作
operations, including input, queries, exports, etc., and 並
the system allows real-time monitoring of user 系統允許對用戶進行實時監控
activities.
Inspected the "Database Routine Maintenance 檢查了“數據庫例行維護檢查表”,觀察到組織
Checklist," it is observed that the organization
regularly conducts maintenance checks on the SQL 定期對 FBIS 的 SQL 數據庫進行維護檢查
database of FBIS. This includes: 這包括:
- Daily checks on the database service execution - 每日對數據庫服務執行檢查
status and database backup execution status. 狀態和數據庫備份執行狀態。
No exceptions noted. 未發現任何異常。
Trust Services Criteria for the Processing 用於處理的信任服務準則。
Integrity Category 完整性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織控制
Service Auditor's Tests of Controls 服務審計師對控制測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
The organization has regularly 組織定期
conducted routine maintenance and 進行了 FBIS SQL 的例行維護和
restoration drills for the FBIS SQL 恢復演練
database.
- Weakly checks on database integrity and - 定期檢查數據庫完整性和
optimization of database indexes. 數據庫索引的優化。
- Monthly review of patch program installation - 每月審查補丁程序安裝
requirements.
Inspected the documentation named "Guidelines for 檢查名為“指南”的文件。
Routine Maintenance of Open Host SQL Server 開放主機 SQL Server 的例行性維護
Databases" Section 4, it specifies that a quarterly 資料庫"第 4 節規定應每季進行一次
database disaster recovery drill should be conducted. 資料庫災難復原演練。
Inspected the "Database Restoration Drill Record for 審查了“2023 年度數據恢復演練記錄”,確認組織
the Year 2023," it is confirmed that the organization 忠實執行了數據恢復演練
has faithfully executed the database restoration drill
according to the plan and has undergone review by 根據計劃並經過相關單位主管審查。
relevant unit supervisors. The organization conducts a 組織每季進行一次 FBIS SQL 數據庫恢復演練。
