Components of the System Used to Provide the Service 用於提供服務的系統組件
I. People 一、人員
The board of directors executes independent supervision over the design and implementation of the internal control and regularly evaluates its effectiveness. The management under the supervision of the board of directors, establishes an organizational structure, reporting system, and appropriate authority and responsibilities for FISC to achieve various goals. Authorization, design, development or acquisition, configuration, documentation, testing, approval, and implementation changes to infrastructure, data, software, and operating procedures to achieve goals. 董事會對內部控制的設計和執行進行獨立監督,並定期評估其有效性。在董事會監督下的管理層建立了一個組織結構、報告系統和適當的權限和責任,以實現 FISC 的各種目標。授權、設計、開發或獲取、配置、文檔化、測試、批准和實施基礕設施、數據、軟件和操作程序的變更以實現目標。
FISC has documented established roles and responsibilities based on functional discipline within the company. The organizational structure, with defined reporting authority, is also documented and posted internally, including those involved with the security, availability, processing integrity, and confidentiality trust principles. The number of people and necessary skills needed in the IT department is periodically assessed by management and a mechanism is in place so that deficiencies in internal control are communicated to appropriate management personnel. FISC 根據公司內的職能紀律確立了已記錄的角色和責任。組織結構具有明確的報告權威,也已在內部公佈,包括與安全、可用性、處理完整性和機密性信任原則有關的人員。管理層定期評估 IT 部門所需的人數和必要技能,並建立了一個機制,以便將內部控制的缺陷通報給適當的管理人員。
For risk management, FISC has set risk assessment organization structure, including the board of directors, risk management committee, risk management director, risk management team, every department of FISC, and the audit department which belongs to the board of directors. The annual risk assessment work is carried out by the "Risk Management Team" and the relevant results would be summarized. This team is directly under the general manager and consists of 1 team leader and 3 team members. The duties of the risk management team are including the research and revision of risk management systems, Research, planning, and implementation of risk management issues and supervise the implementation of risk management self-assessment activity of various units. 對於風險管理,FISC 已建立風險評估組織架構,包括董事會、風險管理委員會、風險管理總監、風險管理團隊、FISC 的每個部門,以及屬於董事會的審計部門。年度風險評估工作由“風險管理團隊”執行,相關結果將被總結。該團隊直屬總經理,由 1 名團隊負責人和 3 名團隊成員組成。風險管理團隊的職責包括風險管理制度的研究和修訂,風險管理問題的研究、規劃和實施,以及監督各單位風險管理自我評估活動的實施。
Regarding the FBIS, the related personnel planning is design as follow: 關於 FBIS,相關人員規劃如下設計:
System development 系統開發
1 supervisor who is responsible for reviewing the contents of the tasks undertaken by the team members and assist the team members in completing the assigned tasks. 1 位主管,負責審查團隊成員所承擔的任務內容,並協助團隊成員完成分配的任務。
1 online operation member which is responsible for daily operation such as batch result checking, add/delete setting of participating units (inquiry agency, replies to agency) and change operation such as user setting change, etc. 1 位線上運營成員,負責日常運營,如批次結果檢查,添加/刪除參與單位(查詢機構,回覆機構)的設置,以及更改操作,如用戶設置更改等。
1 approval member which is responsible for the review and release add/delete setting of participating units (inquiry agency, replies to agency), review and release daily operation and release the change operation. 1 位審批成員,負責審查和發布參與單位(查詢機構,回覆機構)的添加/刪除設置,審查和發布日常運營,並發布更改操作。
1 supervisor who is responsible for reviewing the contents of the tasks undertaken by the team members and assist the team members in completing the assigned tasks. 1 位主管,負責審查團隊成員承擔的任務內容,並協助團隊成員完成分配的任務。
1 system planning and analysis member who oversees system planning, requirement confirmation and analysis, operation process planning and specification issuance, handling procurement operations, supplier communication and coordination related to FBIS. 1 位系統規劃和分析成員,負責監督系統規劃、需求確認和分析、運營流程規劃和規範發布、處理採購操作、與 FBIS 相關的供應商溝通和協調。
2 system design and development members and they are responsible for confirming requirements with manufacturers, installing and building systems, opening test cases and functional tests, system maintenance and monitoring operations 2 位系統設計和開發成員,負責與製造商確認需求、安裝和構建系統、開啟測試案例和功能測試、系統維護和監控操作。
II. Software and Infrastructure II. 軟體和基礎設施
FISC provides FBIS with confirmations service operations for External Confirmation Auditing Agency Service, External Confirmation Responding Bank Service, and a Financial Blockchain Network System including support services and associated data processing operations, FISC provides system hardware, software, support services and administrative services. FBIS is connected with Registration Authority ("RA") system from TAIWAN-CA INC. ("TWCA") for its Certificate Authority ("CA") service. And, the scope of this assessment includes all systems with detail information shown below. For daily maintenance management, it is supported by other systems from FISC such as Vulnerability Management System, information security management system, etc. FISC 為 FBIS 提供外部確認審計機構服務操作、外部確認回應銀行服務,以及包括支援服務和相關數據處理操作的金融區塊鏈網絡系統,FISC 提供系統硬體、軟體、支援服務和行政服務。FBIS 與台灣數位認證股份有限公司("TWCA")的註冊機構("RA")系統相連,用於其憑證授權("CA")服務。此評估範圍包括所有系統,詳細信息如下所示。對於日常維護管理,由 FISC 的其他系統支援,例如漏洞管理系統、信息安全管理系統等。
Application
Operating
System
Database
Data Center
Location
Administered
by (location) 通過(位置)
Application Description 應用程式描述
Financial Blockchain 金融區塊鏈
Information System -- 資訊系統 --
External Confirmation 外部確認
Auditing Agency Service 審計機構服務
MS
Windows
2016
SQL
Server
2016
FISC (Taipei, 財政部(臺北)
Taiwan (R.O.C.)) 臺灣(中華民國)
FISC (Taichung, 財政部(臺中,
Taiwan (R.O.C.)) 臺灣(中華民國)
FISC (Taipei, 財政部(臺北)
Taiwan (R.O.C.)) 臺灣(中華民國)
FISC (Taichung, 財政部(臺中,
Taiwan (R.O.C.)) 臺灣(中華民國)
Providing services to auditors (audit 為審計師(審計
organization) and auditees (companies 機構)和被審計者(公司
being audited). Through the system, 被審計)提供服務。通過系統,
auditors are able to request approval 審計師能夠請求批准
from companies or apply for external 從公司或申請外部
confirmations; whereas auditees are 確認;而被稽核者則
able to approve. After the banks reply, 能夠批准。銀行回覆後,
auditors could also receive the results of 審計師也可以通過系統收到
the confirmation through the system. 確認的結果。
Financial Blockchain 金融區塊鏈
Information System - 資訊系統 -
External Confirmation 外部確認
Responding Bank 回覆銀行
Service
MS
Windows
2016
SQL
Server
2016
FISC (Taipei, Taiwan FISC(台灣台北)
(R.O.C.))
FISC (Taichung, 財政部(臺中,
Taiwan (R.O.C.)) 臺灣(中華民國)
FISC (Taipei, 財政部(臺北)
Taiwan (R.O.C.)) 臺灣(中華民國)
FISC (Taichung, 財政部(臺中,
Taiwan (R.O.C.)) 臺灣(中華民國)
Providing services to banks for replying 為銀行提供回覆服務
to external confirmation. Through the 透過外部確認。通過
system, banks are able to receive and 系統,銀行能夠接收並
respond the confirmation to the auditor. 回應審計師的確認。
Financial Blockchain 金融區塊鏈
Network System 網路系統
Ubuntu
V16.04.6
(None)
FISC (Taipei, Taiwan FISC(台灣台北)
(R.O.C.))
FISC (Taichung, 財政部(臺中,
Taiwan (R.O.C.)) 臺灣(中華民國)
FISC (Taipei, 財政部(臺北)
Taiwan (R.O.C.)) 臺灣(中華民國)
FISC (Taichung, 財政部(臺中,
Taiwan (R.O.C.)) 臺灣(中華民國)
Financial Blockchain Network System 金融區塊鏈網絡系統
consists of blockchain nodes to provide 由區塊鏈節點組成,提供
blockchain service. 區塊鏈服務。
III. Procedures 三、程序
FISC has developed various internal criteria documents, and staff follow internal procedures to perform operations. Specifications related to various trust criteria have been presented in the report, such as FISC 已經制定了各種內部標準文件,工作人員遵循內部程序執行操作。報告中提出了與各種信任標準相關的規範,例如
Trust Services Criteria Relevant to Security 與安全相關的信任服務標準
Control Environment 控制環境
FISC has established the "Management System Specification" stipulates that the management will approve the operational objectives, policies, and guidelines for the management system, and stipulates the "Work Rules" that employees should perform the duty of honesty. "Working Guidelines for Performance Management Implementation", "Working Guidelines for Employees' Retain and Promotion", " Management Guidelines for Contracts with Third Parties" and "Rules for Supplier Evaluation Management" are also established and regularly assessed to ensure that employees and outsourced personnel's performance meets expectations. The establishment of each department of FISC is based on the "Proper Levels & Responsibilities List", which are compiled according to different attributes, and the board of directors is convened and chaired by the chairman. In principle, it is held regularly every three months. The "Information System and Information Security Advisory Group" was also established to develop professional opinions on major proposals such as the company's information system and information security, and to strengthen the decision-making and supervision mechanism of the Board of Directors on information system and information security issues. FISC 已建立了「管理系統規範」,規定管理層將批准管理系統的營運目標、政策和指導方針,並規定員工應該履行誠實職責的「工作規則」。同時建立了「績效管理實施工作指引」、「員工留任與晉升工作指引」、「與第三方簽約管理指引」和「供應商評估管理規則」,並定期評估以確保員工和外包人員的表現符合期望。FISC 各部門的建立基於「適當層級與責任清單」,根據不同屬性編制,董事會由董事長召集和主持。原則上,每三個月定期舉行。 「資訊系統與資訊安全諮詢小組」也成立,以制定對公司資訊系統和資訊安全等重大提案的專業意見,並加強董事會對資訊系統和資訊安全問題的決策和監督機制。
Communication and Information 通訊與資訊
FISC has established "Internal Control Policy", the goal of establishing an internal control system, to promote the sound operation of the company, and to be followed by the board of directors, management, and employees. In addition, "Risk Management Operation Rules" is also established for risk management. The implementation of risk management plans or objectives by each unit shall regularly report to the business report to facilitate communication, discussion, review and improvement, and stipulate that each unit shall conduct risk management self-assessment at least once a year. To enhance the information security awareness of the whole company, "Working Guidelines for employee education and training management" contains the content of education and training and the regulations on internal and external training. If an abnormal accident occurs in the organization, it can also follow the "Reporting and Handling Points of Abnormal Incidents" for notification and further handling. FISC 已建立“內部控制政策”,旨在建立內部控制系統,促進公司的健全運作,並由董事會、管理層和員工遵循。此外,還建立了“風險管理操作規則”進行風險管理。各單位執行風險管理計劃或目標應定期向業務報告,以促進溝通、討論、審查和改進,並規定各單位每年至少進行一次風險管理自評。為提高全公司的信息安全意識,“員工教育培訓管理工作指引”包含教育培訓內容和內外部培訓的規定。如果組織發生異常事故,也可以按照“異常事件報告和處理要點”進行通知和進一步處理。
■ Risk Assessment ■ 風險評估
FISC has established "Working Guidelines for Risk Assessment" to explain the promotion of each management system and planning the scope and schedule of risk assessment work. Each department should cooperate with the operation plan decided by the management review meeting to carry out risk assessment operations, reflect the current situation of risk changes, and explain the risk assessment operation mechanism. And FISC is also established "Regulations for Risk Management " to explain the company's implementation of risk management, regularly submit risk control reports, and report to the board of directors. Take steps to assess possible losses and provide adequate loss provisions in a timely manner and report to the board of directors. 金融監督管理委員會(FISC)已制定了《風險評估工作指引》,以說明推動各管理系統並規劃風險評估工作的範圍和進度。每個部門應配合管理審查會議決定的運營計劃進行風險評估操作,反映風險變化的現況,並說明風險評估操作機制。FISC 還制定了《風險管理規定》,以說明公司實施風險管理,定期提交風險控制報告,並向董事會匯報。採取措施評估可能的損失,及時提供足夠的損失準備金並向董事會匯報。
Monitoring Activities 監控活動
FISC has established "Network Security Management Manual" stipulates that the monitoring mechanism includes items such as the availability, capacity performance and various information security abnormal events of network security equipment, and establishes a vulnerability management mechanism, which requires that risk vulnerabilities such as the level of medium, high, and major risk weaknesses should be completed within 6 months. For those who cannot complete the weakness correction within the time limit (such as: the correction cannot be made, the manufacturer does not provide security updates, etc.), the management of the system equipment should fill in the "Information Security Exception Management Application Form", stating the reason or compensation measures should be submitted to the company's risk management supervisor for approval. FISC 已建立了《網絡安全管理手冊》,規定監控機制包括網絡安全設備的可用性、容量性能和各種信息安全異常事件等項目,並建立了漏洞管理機制,要求風險漏洞(如中、高和重大風險弱點等級)應在 6 個月內完成。對於無法在時限內完成弱點修正的情況(例如:無法進行修正、製造商未提供安全更新等),系統設備管理應填寫《信息安全異常管理申請表》,說明原因或補償措施,並提交給公司風險管理主管審批。
Control Activities 控制活動
FISC has established the "Working Guidelines Problems and Needs Management Operation System" which states that management understands and determines the dependency and linkage between business processes, control activities, and general controls. In addition, FISC has established the "Internal Control Policy" which states that the company should established internal control audit system, self-audit system, and regulatory compliance and risk management mechanism in order to maintain the operating of internal control system. Regular review meetings are also held to review the assessment results. 金融監督管理委員會(FISC)已建立了「工作指引問題與需求管理運作系統」,其中規定管理層了解並確定業務流程、控制活動和一般控制之間的依賴性和聯繫。此外,FISC 還建立了「內部控制政策」,規定公司應建立內部控制審計系統、自我審計系統,以及監管遵循和風險管理機制,以維護內部控制系統的運作。定期舉行審查會議以審查評估結果。
Logical and Physical Access Controls 邏輯和物理訪問控制
FISC has established the "Working Guidelines for Assess Apply and Change Regarding Financial Operating System" which states about the execution process and access activities of the account. Users can only log in to the operating host in the physical control area (such as operation room, terminal room, connecting management room, customer service center, etc.), and it is forbidden to log in from other places. When logging into the terminal management system (the entrance of connecting to the operating host), the user used the original account number and password, and use the one-time password provided by the Two-Factor Authentication tool (token) to conduct two-factor verification. 金融資訊服務中心(FISC)已制定了《關於金融運作系統評估、申請和更改的工作指南》,該指南闡述了帳戶的執行流程和訪問活動。用戶只能在物理控制區域(如操作室、終端室、連接管理室、客戶服務中心等)登錄運作主機,禁止從其他地方登錄。當登錄終端管理系統(連接到運作主機的入口)時,用戶使用原始帳號和密碼,並使用雙因素驗證工具(令牌)提供的一次性密碼進行雙因素驗證。
System Operations 系統操作
FISC has established the "Working Handbook for Internet Security Management", which stated an alert standard should be set for internet security equipment's status, effectiveness and event. If abnormal occurs, immediate messages and emails were sent to notify related operators. In addition, computers and internet equipment using TCP/IP communication protocol should execute security vulnerability evaluation by security manager or professional vendors. 金融資訊服務中心(FISC)已制定了《互聯網安全管理工作手冊》,其中提到應為互聯網安全設備的狀態、有效性和事件設置警報標準。如果發生異常,將立即發送消息和郵件通知相關操作人員。此外,使用 TCP/IP 通信協議的計算機和互聯網設備應由安全經理或專業供應商執行安全漏洞評估。
Change Management 變更管理
FISC has established the "Financial Information System Change Management Procedure", which is set out in detail the procedures for application review and execution of permissions and the development process of the system change. The application system of organization is mostly changed in response to demand, thus the organization has established control mechanism to implement change management, which is divided into R&D, testing, and operation environments. The R&D environment needs to be FISC 已建立了“財務信息系統變更管理程序”,詳細列出了申請審查和執行權限以及系統變更的開發過程。組織的應用系統主要是根據需求進行更改,因此組織建立了控制機制來實施變更管理,分為研發、測試和運營環境。研發環境需要從 Dimensions 檢查代碼進行校正。完成後,使用測試工作表申請對操作系統的更改。
corrected by checking out the code from the Dimensions. After completion, use the test worksheet to apply for changes to the operating system.
Risk Mitigation 風險緩解
FISC has established the "Financial Blockchain Information Inquiry Operation Plan", which is stated that mechanisms for system backup, data backup, and function recovery in order to prevent the serious impact caused by the loss of data or the interruption of operation due to system failure and the establishment of a backup mechanism ensures the normal operation of the system. In addition, FISC also insures commercial fire insurance and electronic equipment insurance for all hardware equipment of Donghu, Nangang and Taichung Backup Center. Finally, for the risk management and response of vendors and business partners, FISC has incorporated relevant requirements into the contract. 金融監督管理委員會(FISC)已制定了《金融區塊鏈信息查詢運作計劃》,其中規定了系統備份、數據備份和功能恢復機制,以防止由於系統故障而導致數據丟失或運營中斷而造成的嚴重影響,並建立了備份機制以確保系統正常運作。此外,FISC 還為東湖、南港和台中備份中心的所有硬件設備投保商業火險和電子設備保險。最後,為了管理供應商和商業夥伴的風險和應對措施,FISC 已將相關要求納入合同中。
Trust Services Criteria for the Availability 可用性信任服務標準
According to the "Personal Computer and Server Management Manual", the demanding unit submits a demand application, and the system department is entrusted to handle or purchase the required equipment. The allocation and management of information system resources adopt sharing and sharing methods, and use Active-Active architecture or a sufficient backup mechanism to ensure the availability of resources. A single device abnormality or failure does not affect business services. 根據《個人電腦和伺服器管理手冊》,需求單位提交需求申請,系統部門負責處理或購買所需設備。資訊系統資源的分配和管理採用共享方法,並使用主動-主動架構或足夠的備份機制來確保資源的可用性。單一設備的異常或故障不影響業務服務。
Besides, FISC has established the documentation "Key Points for Handling Environmental Facility Abnormalities", which identified abnormal environmental accidents, including air-conditioning system failure, water damage, building/structure collapse, telephone communication system failure, power supply interruption, earthquake phenomenon [Taipei basin earthquake degree above 6], flood, fire, man-made damage, infectious disease (Such as bird flu, malaria, plague, SARS, etc.). If it is discovered that the accident may cause system failure, the assistant of the management department or its designated personnel shall report to the team leader of the "Emergency Handling Team" in accordance with the provisions of the "Emergency Response Operation Points". 此外,FISC 已建立了文件“處理環境設施異常重點”,其中確定了異常的環境事故,包括空調系統故障、水損害、建築/結構倒塌、電話通信系統故障、電力供應中斷、地震現象[台北盆地地震程度超過 6 級]、洪水、火災、人為破壞、傳染病(如禽流感、瘧疾、瘟疫、非典等)。如果發現事故可能導致系統故障,管理部門助理或其指定人員應根據“應急響應操作要點”的規定向“應急處理小組”的組長報告。
Trust Services Criteria for the Confidentiality 保密的信託服務標準
FISC has established the documentation "Financial Blockchain Information System - External Confirmation Responding Bank Service Connection Specification" and "Financial Blockchain Information System Requirements Function External Confirmation Front-end Transaction System Analysis Specification V1.00" to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained. FISC 已建立了文件“金融區塊鏈信息系統-外部確認應答銀行服務連接規範”和“金融區塊鏈信息系統需求功能外部確認前端交易系統分析規範 V1.00”,以在接收或創建時識別和指定機密信息,並確定機密信息應保留的期限。
Besides, these documentations also describe how to erase or otherwise destroy confidential information that has been identified for destruction. 此外,這些文件還描述了如何刪除或以其他方式銷毀已被確定要銷毀的機密信息。
Trust Services Criteria for the Processing Integrity 處理完整性的信任服務標準
FISC has established the documentation "Financial Blockchain Information System - External Confirmation Responding Bank Service Connection Specification" and "Financial Blockchain Information System - External Confirmation Auditing Agency Service Connection Specification" to identify information specifications required to support the use of products and services. FISC 已建立了文件“金融區塊鏈信息系統-外部確認應答銀行服務連接規範”和“金融區塊鏈信息系統-外部確認審計機構服務連接規範”,以確定支持產品和服務使用所需的信息規範。
Besides, the system has established a fool-proof mechanism for input data when inputting relevant information from the confirmation inquiry and reply to unit. The relevant data processing and transmission process will exist in the system in the form of certificate encryption, and the system will not keep a temporary file after the data transmission is completed. 此外,系統已建立了一個防範機制,用於在從確認查詢和回覆單位輸入相關信息時輸入數據。相關數據處理和傳輸過程將以證書加密的形式存在於系統中,系統在數據傳輸完成後將不保留臨時文件。
IV. Data IV. 數據
The end-to-end verification is taken between the accounting firm and the financial institution, and use confirmation for encryption. No other third-party institutions (including FISC) cannot know the content of the confirmation request, which meets the transaction data mask to ensure data privacy. This mode means that the confirmation request data replies from the financial institution are encrypted and protected by the accounting firm's certificate. The confirmation request data during the transmission process is cipher text transmission. FISC does not have the decryption certificate of the accounting firm, enhance it cannot decrypt the enquiry inquiry data. After the accounting firm receives the encrypted request confirmation data, the firm needs to use the corresponding certificate to decrypt, and then the firm can know the content in plain text. In order to ensure data confidentiality, information security control and customer rights protection, the FISC records the hash value of the transaction data on the blockchain. The relevant transaction records cannot be added or changed. The data content of the confirmation request is not stored on the chain to achieve the effect of protecting transaction data. 會計師事務所與金融機構之間進行端對端驗證,並使用確認進行加密。沒有其他第三方機構(包括 FISC)可以知道確認請求的內容,這滿足了交易數據遮罩以確保數據隱私。這種模式意味著金融機構回覆的確認請求數據是由會計師事務所的證書加密和保護的。在傳輸過程中,確認請求數據是密文傳輸。FISC 沒有會計師事務所的解密證書,因此無法解密查詢請求數據。當會計師事務所收到加密的請求確認數據後,需要使用相應的證書進行解密,然後才能知道明文內容。為確保數據保密性、信息安全控制和客戶權益保護,FISC 在區塊鏈上記錄交易數據的哈希值。相關交易記錄無法添加或更改。 確認請求的數據內容未存儲在鏈上,以實現保護交易數據的效果。
Relevant Aspects of the Control Environment, Risk Assessment Process, Information and Communication, and Monitoring 控制環境、風險評估過程、信息和溝通以及監控的相關方面
The security category and applicable trust services criteria were used to evaluate the suitability of design and operating effectiveness of controls stated in the description. Security criteria and controls designed, implemented, and operated to meet them ensure that the system is protected against unauthorized access (both physical and logical). The controls supporting the applicable trust services security criteria are included in section 4 of this report. Although the applicable trust services criteria and related controls are included in section 4, they are an integral part of FISC's description of FBIS. 使用安全類別和適用的信任服務準則來評估設計和操作控制的適當性和運行效果。設計、實施和運行以滿足這些控制的安全準則,確保系統受到未經授權訪問(包括物理和邏輯訪問)的保護。支持適用的信任服務安全準則的控制包含在本報告的第 4 部分中。儘管適用的信任服務準則和相關控制包含在第 4 部分中,但它們是 FISC 對 FBIS 描述的一部分。
Security Control elements 安全控制元素
FISC's security control reflects the position taken by management and the Board of Directors concerning the importance of controls and the emphasis given to controls in FBIS's policies, procedures, methods, and organizational structure. Key elements of FISC's control environment include oversight by FISC's Board of Directors, Human Resources (HR) Policies and Practices, Employee Education, Risk Assessment and Monitoring, and Information and Communication. FISC 的安全控制反映了管理層和董事會對控制的重要性以及在 FBIS 政策、程序、方法和組織結構中賦予控制的重視所採取的立場。 FISC 控制環境的關鍵元素包括 FISC 董事會的監督、人力資源(HR)政策和實踐、員工教育、風險評估和監控,以及信息和溝通。
Security Control elements 安全控制元素
Communication and 溝通和
Enforcement of Integrity and Ethical Values 廉潔和道德價值觀的執行
Commitment to Competence 對能力的承諾
Participation of the Board of 董事會的參與
Directors
Management Philosophy and Operating Style 管理哲學和經營風格
Organizational Structure 組織架構
Authority and Responsibility 權威和責任
Description at FISC FISC 的描述
A statement of ethical values is available throughout the organization. 組織內提供道德價值觀的聲明。
A formal code of conduct is communicated to employees. 向員工傳達正式的行為準則。
A culture exists emphasizing the importance of integrity and ethical behavior through oral communication and management example. 透過口頭溝通和管理示範,存在著強調誠信和道德行為重要性的文化。
HR policies and procedures are accessible to employees. 員工可以取得人力資源政策和程序。
Job descriptions are available containing minimum qualifications and job responsibilities. 工作描述包含最低資格和工作職責。
Resources are available for employees, including equipment, software, and manuals. 為員工提供資源,包括設備、軟體和手冊。
Training is provided within FISC from a variety of sources. 在 FISC 內提供來自各種來源的培訓。
FISC Corporate bylaws and/or charter(s) exist outlining the responsibilities of the board and management. FISC 公司章程和/或憲章明確規定董事會和管理層的責任。
A board of directors has been established and is charged with FISC corporate governance. 已成立董事會,負責 FISC 公司治理。
The board members include eleven to fifteen Directors and three to five Supervisors who shall be elected by the shareholders' meeting from among the persons with disposing capacity. 董事會成員包括十一至十五名董事和三至五名監事,應由具有處置能力的人士中從股東大會選舉產生。
The board members meet periodically to discharge the responsibilities of the board. 董事會成員定期會面,履行董事會的責任。
The board members receive detailed reports and other information in advance of each meeting. 董事會成員在每次會議之前提前收到詳細報告和其他信息。
FISC IT Management emphasizes the importance of managing risks related to security trust principles in FBIS interaction with those involved in the process. FISC IT 管理強調管理風險的重要性,這些風險與 FBIS 與參與過程的人員的互動中的安全信任原則有關。
FISC IT Management is aware of security trust principle breaches or other significant issues. FISC IT 管理知悉安全信任原則違反或其他重大問題。
Policies and Standard Operating Procedures are established and articulated by management. 政策和標準作業程序由管理層建立和闡明。
FISC has an Incident Response process and breach protocol. FISC 擁有事件應變程序和違反協議。
FISC has documented established roles and responsibilities based on functional discipline within the company. The organizational structure, with defined reporting authority, is also documented and posted internally, including those involved with the security trust principles. FISC 已根據公司內的功能性學科確立了角色和責任。組織結構具有明確的報告權威,也已在內部進行了記錄和張貼,包括與安全信任原則有關的人員。
The number of people and necessary skills needed in the IT department is periodically assessed by management. IT 部門所需的人數和必要技能由管理層定期評估。
A mechanism is in place so that deficiencies in internal control are communicated to appropriate management personnel. 已建立機制,以便將內部控制的缺陷通報給適當的管理人員。
Management's description of key security trust principle position's responsibilities and authorities is reviewed by those charged with governance (or the Board). 管理對關鍵安全信任原則位置的責任和權限的描述由治理機構(或董事會)審查。
With respect to security trust principle areas, there is assignment of responsibility and authority for decision making. 就安全信任原則領域而言,責任和權力的分配是有關決策的。
Limitations are placed on the assignment of authority and responsibility. 對權力和責任的分配設定了限制。
Security Control elements 安全控制元素
Human Resources Policies and Procedures 人力資源政策和程序
Risk Assessment 風險評估
Information and Communication 資訊與溝通
Description at FISC FISC 的描述
Human resources policies and practices are available on the FISC Corporate intranet and are updated on a periodic basis. 人力資源政策和實踐可在 FISC 企業內部網絡上找到,並定期更新。
For the position related to security trust principle, management conducts background investigations and performs reference checks prior to hiring. It includes criminal background search, past employment verification, education verification. 對於與安全信任原則相關的職位,管理層在招聘前進行背景調查和參考檢查。這包括犯罪背景搜索,過去就業驗證,教育驗證。
Background checks are also performed for positions with high-level responsibility. 針對具有高級責任的職位也進行背景調查。
To promote ethical behavior in the organization, training and awareness programs are provided. 為了促進組織中的道德行為,提供培訓和意識計劃。
Periodic performance reviews and appraisals are done for all personnel, and the results are well documented. 對所有人員進行定期績效評估和評估,並將結果詳細記錄。
Training is provided within FISC from a variety of sources. Management develops and conducts training on their systems, processes and procedures, and to provide specifically identified skills and knowledge to their workforce. Management also sends individual employees to training conducted externally by various organizations. FISC 內提供來自各種來源的培訓。管理層開發並進行有關其系統、流程和程序的培訓,並為其員工提供明確確定的技能和知識。管理層還將個別員工派往由各種組織在外部進行的培訓。
Exit interviews are performed, including inquiries about concerns related to integrity and ethical values, and internal control. 進行離職面談,包括有關誠信和道德價值觀以及內部控制的相關問題的詢問。
The FISC Risk Management Team conducts a yearly risk assessment. The risk assessment is used to drive the activities of the internal control function. FISC 風險管理團隊每年進行一次風險評估。風險評估用於推動內部控制功能的活動。
Business plans are created each year that establish priorities and allocates resources to address those priorities. 每年都會制定業務計劃,確立優先事項並分配資源來解決這些優先事項。
IT plans are created each year that establish priorities and allocate resources to address those priorities. 每年都會制定 IT 計劃,確立優先事項並分配資源來解決這些優先事項。
An incident investigation and remediation system exist that includes a tracking mechanism that allows management to report on material fraud events. 存在一個事故調查和補救系統,其中包括一個跟踪機制,允許管理層報告重大欺詐事件。
The organization periodically assesses the sufficiency of FBIS information systems to capture and report data that are timely, current, accurate, and accessible. 組織定期評估 FBIS 信息系統的充分性,以捕捉和報告及時、當前、準確和可訪問的數據。
Information about the entity's security trust principle objectives, internal control policies and procedures, and related individual responsibilities are communicated via e-mail, NOTES billboards, MS SharePoint, etc. to reinforce the entity's commitment to internal control. 有關實體安全信任原則目標、內部控制政策和程序以及相關個人責任的信息通過電子郵件、NOTES 公告板、MS SharePoint 等途徑進行傳達,以加強實體對內部控制的承諾。
FISC corporate intranet site or other communication tool exists for disseminating information, including information about internal control around the security trust principles. FISC 公司內部網站或其他通訊工具用於傳播信息,包括有關安全信任原則周圍內部控制的信息。
Instructions on how to access and submit a matter using the entity's whistle-blower program is available. 可獲得有關如何存取和提交事項的指示,使用實體的舉報者計劃。
Findings of the external auditor, along with management's proposed resolutions, are addressed with those charged with governance. 外部稽核師的發現,以及管理層提出的解決方案,將與負責治理的人士討論。
Security Control elements Description at FISC FISC 的安全控制元素描述。
Monitoring 監控
The organization periodically assesses the sufficiency of FBIS systems to capture and report data that 組織定期評估 FBIS 系統的充分性,以捕捉和報告及時、準確且可存取的數據。
are timely, current, accurate, and accessible. 及時、準確且可存取。
Information about the entity's security trust principle objectives, internal control policies and procedures, and related individual responsibilities are communicated via e-mail, NOTES billboard, MS SharePoint, etc. to reinforce the entity's commitment to internal control. 通過電子郵件、NOTES 公告牌、MS SharePoint 等方式傳達有關實體安全信任原則目標、內部控制政策和程序以及相關個人責任的信息,以加強實體對內部控制的承諾。
FISC corporate intranet site or other communication tool exists for disseminating information, including information about internal control around the security trust principles. FISC 公司內部網站或其他通訊工具用於傳播信息,包括有關安全信任原則周圍內部控制的信息。
Instructions on how to access and submit a matter using the entity's whistle-blower program is generally available. 有關如何訪問和提交事項使用實體舉報計劃的指示通常是可用的。
Information regarding the whistle-blower program is made available to external parties. 有關告發者計劃的信息已提供給外部方。
Findings of the external auditor, along with management's proposed resolutions, are addressed with those charged with governance. 外部審計師的發現以及管理層提出的解決方案將與負責治理的人員討論。
Security and Availability Incident Communication 安全和可用性事件通訊
The company's main communication channel is the official document. Others are handled in compliance with laws and regulations. For example, the Information Security Management Law reports information about security incidents in accordance with" Notification and Handling Guidelines for Abnormal Incidents." The contact person and procedure when incident occurs are stated, and also other countermeasures. During the period, there was no security incident and no system failure occurred. 公司的主要溝通渠道是官方文件。其他事項按照法律法規處理。例如,信息安全管理法根據“異常事件通報和處理指南”報告安全事件信息。當事件發生時,會說明聯繫人和程序,以及其他對策。在此期間,沒有發生安全事件,也沒有系統故障發生。
Trust Criteria and Related Control Activities 信任標準和相關控制活動
FISC's related controls and mapping to applicable criteria are included in section 4 of this report, "Trust Services Category, Criteria, Related Controls, and Tests of Controls," to eliminate the redundancy that would result from listing them in this section and repeating them in section 4. Although the related controls and mapping to applicable criteria are included in section 4 of this report, they are, nevertheless, an integral part of FISC's description of the system. FISC 的相關控制和映射到適用標準包含在本報告的第 4 部分中,“信任服務類別、標準、相關控制和控制測試”,以消除在本部分列出它們並在第 4 部分中重複它們將導致的冗餘。儘管相關控制和映射到適用標準包含在本報告的第 4 部分中,它們仍然是 FISC 系統描述的一部分。
Changes to the System during the Period 期間內系統的變更
During the covid-19 epidemic, the main maintenance and operation structure of the system remained unchanged, and the employees who are diagnosed or are in home isolation should worked from home according to the company's instructions. Related instructions will be announced in the company's internal epidemic prevention area. Employees assigned to work from home during the covid-19 epidemic have been issued company laptops and applied for remote access rights. If need, employees can use online meeting software such as Webex for online meetings. 在新冠疫情期間,系統的主要維護和運營結構保持不變,被診斷或居家隔離的員工應根據公司的指示在家工作。相關指示將在公司內部防疫區域公佈。在新冠疫情期間被指派在家工作的員工已獲發公司筆記本電腦並申請了遠程訪問權限。如有需要,員工可以使用 Webex 等在線會議軟件進行線上會議。
Besides, to follow organizational adjustments and the implementation of division of labor, the Information Security Department of FISC is established after approval from the 3rd meeting of the 9th board of directors on November . The official adjustment is effective from December. Information Security Department is responsible for organizing information security-related management operations which was belonging to the security control team of Information Technology Department. It is mainly responsible for information security policies and compliance matters, Establishment, promotion and maintenance of information security management system, collection and analysis of threat intelligence, and other information security management matters. 此外,為了遵循組織調整和分工實施,FISC 的信息安全部門在第 9 屆董事會第 3 次會議批准後於 年 11 月成立。正式調整自 12 月生效。信息安全部門負責組織相關的信息安全管理運營,原屬於信息技術部安全控制小組的職責。主要負責信息安全政策和合規事項,信息安全管理體系的建立、推廣和維護,威脅情報的收集和分析,以及其他信息安全管理事項。
SECTION 4 -
TRUST SERVICES CATEGORY, CRITERIA, RELATED CONTROLS, AND TESTS OF CONTROLS 第 4 節 - 信任服務類別、標準、相關控制和控制測試
Applicable Trust Services Criteria Relevant to Security 適用於安全性的信任服務標準
The trust services criteria relevant to security address the need for information and systems to be protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, processing Integrity and confidentiality of information or systems and affect the service organization's ability to achieve its service commitments and system requirements. 有關安全的信任服務標準涉及保護信息和系統免受未經授權訪問、未經授權信息披露和可能危害信息或系統的系統損壞,這可能危及信息或系統的可用性、處理完整性和機密性,並影響服務組織實現其服務承諾和系統要求的能力。
Security refers to the protection of 安全是指保護
i. Information during its collection or creation, use, processing, transmission, and storage and; i. 在收集或創建、使用、處理、傳輸和存儲信息期間的信息,以及;
ii. Systems that use electronic information to process, transmit or transfer, and store information to enable the achievement of FISC's service commitments and system requirements. Controls over security prevent or detect the breakdown and circumvention of segregation of duties, system failure, incorrect processing, theft or other unauthorized removal of information or system resources, misuse of software, and improper access to or use of, alteration, destruction, or disclosure of information. ii. 使用電子信息來處理、傳輸或轉移、存儲信息,以實現 FISC 的服務承諾和系統要求的系統。對安全的控制可防止或檢測職責分離的破壞和規避、系統故障、處理不正確、信息或系統資源的盜竊或其他未經授權的移除、軟件的濫用,以及對信息的不當訪問或使用、修改、破壞或披露。
Control Environment 控制環境
Trust Services Criteria for the Security 安全的信任服務標準
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
CC1.1
cOSO Principle 1: The cOSO 原則 1:實體展示了
entity demonstrates a 實體展示了
commitment to integrity 致力於誠信
and ethical values. 和道德價值。
The organization has established 本組織已建立
documentation "Management System 文件 "管理系統
Specification" and" Work Rules" which is 規範" 和 "工作規則",其中
stated the guidance of work for 說明了工作指導
supporting organization's internal 支持組織的內部
controls.
No exceptions noted. 未發現任何例外。
Trust Services Criteria for the Security 安全的信任服務標準
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
The organization has established 本組織已建立
standards of conduct in documentation 文件中的行為標準
such as "Work Rules", Labor Contract" 例如"工作規則"、"勞動合同"
and "Declaration of Avoidance of 和"避免聲明"
Interests".
Inspected the documentation named "Work Rules" 審查了名為「工作規則」的文件
article 11 that we have confirmed the proper labor 我們已確認第 11 條的適當勞動
relation of trust and harmony, as well as employees' 信任和和諧的勞動關係,以及員工們
integrity duty, which has been approved and 經管理層批准和實施的誠信義務。所有
implemented by the management level. All 員工必須簽署《勞動合同》和
employees must sign the "Labor Contract" and the
"Declaration of Avoidance of Interests". The latest "避免利益衝突宣言"。最新版本的"工作規則"已獲批准。
version of "Work Rules" which was approved by the
chief executive officer on April 12th, 2022. 2022 年 4 月 12 日上任的首席执行官。
Inspected a selection of employee, all of them have 審查了一些員工,他們全部簽署了「勞動合同」和「利益避免聲明」。
signed "Labor Contract" and the "Declaration of 簽署了「勞動合同」和「利益避免聲明」的員工。
Avoiding of Interests". 避免利益衝突的聲明。
No exceptions noted. 未發現任何例外。
The organization has established 本組織已建立
documentation "Work Rules", "Working 文件“工作規則”,“工作
Guidelines for Performance Management 績效管理準則
Implementation" and "Personnel 實施"和"人事
Evaluation Committee Procedure" which 評估委員會程序",其中
is stated the evaluation and report 評估和報告的機制已被規定
mechanism of performance management 績效管理的機制
and the related award or punishment. 以及相關的獎勵或懲罰。
No exceptions noted. 未發現任何例外。
Trust Services Criteria for the Security 安全的信任服務標準
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
The organization has established 本組織已建立
documentation "Management Guidelines 文件“管理指南”
for Contracts with Third Parties" which is 与第三方签订合同",其中规定了
stated the requirements to the 对要求进行了说明
contractors and vendors. 承包商和供應商。
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Inspected "Management Guidelines for Contracts 審查了由首席簽署的“與第三方簽訂合同的管理指南”。
with Third Parties" which was signed by the chief 與第三方簽訂合同的管理指南”。
executive officer on March , 2020, article 5.1 2020 年 3 月 日,第 5.1 條的執行官
"Identify Risk of Third Parties Access", it has listed 「識別第三方訪問風險」,已列出
relative regulations to evaluate third parties and 相關法規以評估第三方和
was approved by the chief executive officer. 獲首席執行官批准。
Inquired the HR manager, the outsourcing 向人力資源經理詢問,外包
personnel and contractors are hired by the 人員和承包商由招聘。
company in accordance with the contract must 根據合同,公司必須
abide by the company's relevant operating 遵守公司相關的營運
regulations.
Inspected a selection of the outsourced personnel 檢查外包人員的選擇
sampling, all of them have signed the 取樣,他們全部已簽署
Confidentiality Agreement and Computer Software 保密協議和電腦軟體
Safety Affidavit. 安全宣誓書。
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
No exceptions noted. 未發現任何例外。
CC1.2
COSO Principle 2: The COSO 原則 2:董事會
board of directors 獨立性
demonstrates
independence from 与
management and 管理和
exercises oversight of the 監督開發和
development and
performance of internal 內部績效
control.
The organization has established 本組織已建立
Responsibilities List" to demonstrate the 「責任清單」以展示
importance of integrity and ethical values 誠信和道德價值的重要性
Trust Services Criteria for the Security 安全的信任服務標準
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
The organization has established the 組織已建立
statement of work, which is stated 工作聲明,其中已述明
change terms and communication 更改條款和溝通
protocol channel, such as report or 協議通道,如報告或
meetings.
Since there are no new projects in 2022, inspected 由於 2022 年沒有新項目,檢查了"金融區塊鏈融資系統
the "Financial Blockchain Financing System 實施項目",以確定
Implementation Project" to determine that the
attached statement of work specifies the change 附加的工作聲明指定了變更
management and the project report or meeting 管理和專案報告或會議
communication.
No exceptions noted. 未發現任何例外。
The organization has established the 組織已建立
statement of work, which is stated clearly 工作聲明,清楚陳述
problem-solving procedures and regularly 通過問題解決程序和定期
evaluate of contract performance through 通過評估合同履行情況
project reports or meetings. 通過項目報告或會議。
Since there are no new projects in 2022, inspected 由於 2022 年沒有新項目,檢查了"金融區塊鏈融資系統
the "Financial Blockchain Financing System 實施項目",以確定
Implementation Project" to determine that the
attached statement of work specifies problem 附加的工作聲明指定問題
solving procedures and regular evaluation of 解決程序和定期評估
contract performance through project reports or 合同履行通過項目報告或
meetings.
No exceptions noted. 未發現任何例外。
The organization has established the 組織已建立
statement of work, which is stated clearly 工作聲明,清楚陳述
contract termination procedure. 合同終止程序。
Since there are no new projects in 2022, inspected 由於 2022 年沒有新項目,檢查了"金融區塊鏈融資系統
the "Financial Blockchain Financing System 實施項目",以確定
Implementation Project", the contract specifies 終止程序。
termination procedure.
No exceptions noted. 未發現任何例外。
The organization has established the 組織已建立
contract, which is stated confidentiality 合同,其中規定保密性
terms meets the company's internal 條款符合公司內部
requirements and evaluated when 要求並在評估時
necessary.
Since there are no new projects in 2022 , inspected 由於 2022 年沒有新項目,進行檢查。
the "Financial Blockchain Financing System 實施項目",以確定
Implementation Project", the contract confidentiality 實施項目",合同保密
clause meets the company's internal requirements. 條款符合公司的內部要求。
No exceptions noted. 未發現任何例外。
The organization has established the 組織已建立
contract, which is stated protection of 合同中規定的保護
personal information terms meets the 個人信息條款符合
company's internal requirements and 公司的內部要求和
evaluated when necessary. 必要時進行評估。
Since there are no new projects in 2022, inspected 由於 2022 年沒有新項目,檢查了"金融區塊鏈融資系統
the "Financial Blockchain Financing System 實施項目",以確定
Implementation Project", the protection of personal
information is clearly regulated, and the protection
of personal information meets the company's 個人資訊的來源符合公司的
internal requirements. 內部要求。
No exceptions noted. 未發現任何例外。
Applicable Trust Services Criteria for the Availability 適用的可用性信任服務標準
The trust services criteria for the availability address the need for information and systems are available for operation and use to meet the entity's objectives. Availability refers to the accessibility of information used by the entity's systems as well as the products or services provided to its customers. The availability objective does not, in itself, set a minimum acceptable performance level; it does not address system functionality (the specific functions a system performs) or usability (the ability of users to apply system functions to the performance of specific tasks or problems). However, it does address whether systems include controls to support accessibility for operation, monitoring, and maintenance. 可用性的信任服務標準涉及確保信息和系統可供運作和使用,以滿足實體的目標。可用性指的是實體系統使用的信息以及提供給客戶的產品或服務的可訪問性。可用性目標本身並未設定最低可接受的性能水平;它不涉及系統功能(系統執行的具體功能)或可用性(用戶應用系統功能執行特定任務或問題的能力)。然而,它確保系統是否包含支持運作、監控和維護的控制。
Additional Criteria to Availability 可用性的附加標準
Trust Services Criteria for the Availability 可用性信任服務標準
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Inspected the "Personal Computer and Server 審查了“個人電腦和伺服器管理手冊 V8”,要求單位
Management Manual V8", the demanding unit 提交了需求申請,系統
submits a demand application, and the system
department is entrusted to handle or purchase the 部門負責處理或購買
required equipment. The allocation and 必需的設備。信息系統資源的分配和管理採用
management of information system resources adopt 共享和分享方法,並使用主動-主動
sharing and sharing methods, and use Active-Active 共享和分享方法,並使用主動-主動
architecture or a sufficient backup mechanism to 建築或足夠的備份機制以確保資源的可用性。單一設備
ensure the availability of resources. A single device 的異常或故障不影響業務
abnormality or failure does not affect business 的可用性。
services.
Considering the limited capacity due to the failure of 考慮到系統中各個元素的失敗導致容量有限,
various elements in the system, according to 根據
"Personal Computer and Server Management 個人電腦和伺服器管理
Manual V8 which establishes a system-site backup 建立系統網站備份的手動 V8
mechanism, and cooperate with 機制,並與
maintenance/change operations to actually switch to 維護/更改操作合作,實際切換至
the backup device. 備份裝置。
Besides, the "Personal Computer and Server 此外,“個人電腦和伺服器
Management Manual V8", warning standards are 管理手冊 V8”中,警告標準是
set for operating server status, resource 設置用於操作伺服器狀態、資源
performance and system messages. If an 效能和系統訊息。如果發現異常,
abnormality is found, a warning message will be 將發出警告訊息。
sent immediately to notify the equipment 立即發送以通知設備
administrator to conduct research and processing. 管理員進行研究和處理。
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
No exceptions noted. 未發現任何例外。
A1.1
The entity maintains, 實體維護,
monitors, and evaluates 監控並評估
current processing capacity 目前的處理能力
and use of system 和系統的使用
components (infrastructure, 組件(基礎設施、
data, and software) to 數據和軟件)以
manage capacity demand 管理容量需求
and to enable the 並啟用
implementation of 實施
additional capacity to help 額外的容量以幫助
meet its objectives. 達到其目標。
The organization has established the 組織已建立
documentation "Personal Computer 文件“個人電腦
and Server Management Manual" to 和伺服器管理手冊”至
ensure and maintain the availability of 確保並維護
system.
If need, employee could use change 如有需要,員工可以使用更改
application forms, which has been 已經填寫完畢的申請表格
approved by related person in charge to 獲得相關負責人批准
change system capacity setting. 更改系統容量設定。
Trust Services Criteria for the Availability 可用性信任服務標準
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
Finally, the "Personal Computer and Server 最後,“個人電腦和伺服器”
Management Manual V8" mentioned the equipment "管理手冊 V8" 提到了設備
administrator will coordinate the installation of 管理員將協調安裝
performance monitoring software or use the 性能監控軟件或使用
performance monitor attached to the operating 附加到操作系統的性能監視器
system to monitor all business operation server 以監視所有業務運作伺服器系統
resources, including the use of processors, memory, 資源,包括處理器、記憶體的使用情況
disk drive usage space, etc., serve as a reference 磁盤驅動器使用空間等,作為參考
basis for system capacity planning. 系統容量規劃的基礎。
On the other side, considering that DDOS attacks 另一方面,考慮到 DDOS 攻擊
will cause network bandwidth restrictions, 將導致網絡帶寬限制,
Chunghwa Telecom's DDOS protection solution was 中華電信的 DDOS 防護解決方案是
rented by the organization. 被組織租用。
Inquired of the Information Security Group of the 向資訊安全小組詢問
Security Control Department, currently using 安全控制部門,目前使用
2. The backup materials are regularly processed 2. 備份資料定期處理
for backup mechanism exercises, including 用於備份機制練習,包括
same-site, remote and database recovery 同地點、遠端和數據庫恢復
exercises.
3. Inquired of the member from IT team that 3. 向 IT 團隊成員詢問
important business data is backed up according 根據數據備份和恢復要求,重要的業務數據已經備份
to data backup and recovery requirements, and ,並定期進行測試。目前,它們
tests are performed regularly. Currently, they 正在執行。
No exceptions noted. 未發現任何例外。
Trust Services Criteria for the Availability 可用性信任服務標準
Category
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
are processed once a year. The scenario 每年處理一次。情境
assumes that the main center has a 假設主要中心發生災難,備援中心進行數據恢復操作。
catastrophe, and the backup center performs 災難,備援中心進行數據恢復操作。
data recovery operations. regularly. Currently, 定期進行數據恢復操作。目前,
they are processed once a year. The scenario 每年處理一次。情況
assumes that the main center has a 假設主要中心發生災難,備援中心進行數據恢復操作。
catastrophe, and the backup center performs 災難,備援中心進行數據恢復操作。
data recovery operations. 數據恢復操作。
Applicable Trust Services Criteria for the Confidentiality 保密性的適用信任服務標準
The trust services criteria for the confidentiality address the need for information designated as confidential is protected to meet the entity's objectives. Confidentiality addresses the entity's ability to protect information designated as confidential from its collection or creation through its final disposition and removal from the entity's control in accordance with management's objectives. Information is confidential if the custodian (for example, an entity that holds or stores information) of the information is required to limit its access, use, and retention and restrict its disclosure to defined parties (including those who may otherwise have authorized access within its system boundaries). Confidentiality requirements may be contained in laws or regulations or in contracts or agreements that contain commitments made to customers or others. The need for information to be confidential may arise for many different reasons. For example, the information may be proprietary, intended only for entity personnel. Confidentiality is distinguished from privacy in that privacy applies only to personal information, whereas confidentiality applies to various types of sensitive information. In addition, the privacy objective addresses requirements regarding collection, use, retention, disclosure, and disposal of personal information. Confidential information may include personal information as well as other information, such as trade secrets and intellectual property. 保密性的信任服務標準涉及將被指定為機密的信息保護起來,以滿足實體的目標。保密性涉及實體保護被指定為機密的信息的能力,從其收集或創建開始,直到根據管理目標從實體控制中移除和清除。如果信息的保管人(例如,持有或存儲信息的實體)被要求限制其訪問、使用和保留,並將其披露限制在確定的各方(包括那些在其系統範圍內可能有授權訪問權限的人)之內,則該信息是機密的。保密性要求可能包含在法律或法規中,也可能包含在向客戶或其他人作出的承諾的合同或協議中。信息需要保持機密可能出於許多不同的原因。例如,該信息可能是專有的,僅供實體人員使用。 機密性與隱私有所區別,隱私僅適用於個人信息,而機密性則適用於各種類型的敏感信息。此外,隱私目標涉及有關個人信息的收集、使用、保留、披露和處置的要求。機密信息可能包括個人信息以及其他信息,如商業秘密和知識產權。
Additional Criteria to Confidentiality 機密性的附加標準
Trust Services Criteria for the 信任服務標準
Confidentiality Category 機密性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
The organization has established the 組織已建立
documentation "Financial Blockchain 文件"金融區塊鏈
Information System - External 資訊系統 - 外部
Confirmation Responding Bank Service 確認回應銀行服務
Connection Specification" and 連接規範" 和
"Financial Blockchain Information "金融區塊鏈信息
System Requirements Function 系統需求功能
External Confirmation Front-end 外部確認前端
Transaction System Analysis 交易系統分析
Specification V1.00" to identify and 規格 V1.00" 以識別和
designate confidential information when 當收到或創建時指定機密信息
it is received or created and to 並確定其持續期限
determine the period over which the 以及确定其持续期限
confidential information is to be 機密信息應該被
retained.
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Inspected the description of the 2.2.6.1confirmation 檢查了 2.2.6.1 確認的描述
respond of "Financial Blockchain Information 回應"金融區塊鏈資訊"
System - External Confirmation Responding Bank 系統 - 外部確認回應銀行
Service Connection Specification V2", which 服務連接規範 V2",其中
mentioned that the confirmation should be 提到確認應該是
encrypted with the verification unit's exclusive 使用驗證單元的專用證書加密
certificate, because FISC doest't have a private ,因為 FISC 沒有私人
verification unit's exclusive certificate, so it cannot 驗證單元的專用證書,所以它無法
be decrypted. 被解密。
Due to the description above, so the system has no 由於上述描述,系統因此沒有
confidential information. 機密信息。
Besides, the description of the 5.5 file encryption 此外,5.5 文件加密的描述
method of "Financial Blockchain Information System 方法“金融區塊鏈信息系統
- External Confirmation Responding Bank Service - 外部確認銀行服務
Connection Specification V2", which explained the "連接規範 V2",解釋了
operation mechanism of encryption. 審查了 4.16.4 業務規則的描述。
Inspected the description of the 4.16.4 business rule
description of "Financial Blockchain Information 金融區塊鏈信息描述
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
No exceptions noted. 未發現任何例外。
C1.1
The entity identifies and 實體識別並
maintains confidential 保持機密
information to meet the 符合信息
entity's objectives related 與實體目標相關
to confidentiality. 保密性。
Trust Services Criteria for the 信任服務標準
Confidentiality Category 機密性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
System Requirements Function External 系統需求功能外部
Confirmation Front-end Transaction System 確認前端交易系統
Analysis Specification V1.00", stating that "(6) The 分析規範 V1.00",指出"(6)
system must confuse the generated response files 系統必須混淆生成的響應文件
the data compression password is compressed and 數據壓縮密碼已壓縮並
downloaded to the operator's computer. The server 下載到操作員的計算機。服務器
system does not retain the clear text of the reply. 系統不保留回覆的明文。
After the compressed file is generated, the 生成壓縮文件後,
temporarily generated reply file should be deleted." 應刪除暫時生成的回覆文件。
"Final, the "'"Financial Blockchain Financing System
Implementation Project"'", which relevant 實施項目」相關
specifications of the system are on the basis of the 系統規格是基於
previous project. 先前的專案。
View the real screen of the database, the 查看數據庫的實際畫面,
information is encrypted" 資訊已加密"
C1.2
The entity disposes of 該實體處置
confidential information to 機密信息
meet the entity's objectives 達到實體的目標
related to confidentiality. 與保密有關。
The organization has established the 組織已建立
documentation "Financial Blockchain 文件"金融區塊鏈
Information System - External 資訊系統 - 外部
Confirmation Responding Bank Service 確認回應銀行服務
Connection Specification" and 連接規範" 和
"Financial Blockchain Information "金融區塊鏈信息
System Requirements Function 系統需求功能
External Confirmation Front-end 外部確認前端
Transaction System Analysis 交易系統分析
Specification V1.00" to identify 規格 V1.00" 以識別
confidential information requiring 需要保密的信息,在到达保留期限結束時需要銷毀。
destruction when the end of the 保留期限結束時需要銷毀的機密信息。
retention period is reached. 到達保留期限時需要銷毀的機密信息。
Besides, these documentations also 此外,這些文件還描述了如何刪除或以其他方式處理機密信息
describe how to erase or otherwise
destroy confidential information that has 摧毀含有机密信息
been identified for destruction. 已被確定要銷毀。
Inspected the description of the 2.2.6.1confirmation 檢查了 2.2.6.1 確認的描述
respond of "Financial Blockchain Information 回應"金融區塊鏈資訊"
System - External Confirmation Responding Bank 系統 - 外部確認回應銀行
Service Connection Specification(V2)", which 服務連接規範(V2)",其中
mentioned that the confirmation should be 提到確認應該是
encrypted with the verification unit's exclusive 使用驗證單元的專用證書加密
certificate, because FISC doesn't have a private ,因為 FISC 沒有私人
verification unit's exclusive certificate, so it cannot 驗證單元的專用證書,所以它無法
be decrypted. 被解密。
Due to the description above, so the system has no 由於上述描述,系統因此沒有
confidential information. 機密信息。
Besides, the description of the 5.5 file encryption 此外,5.5 文件加密的描述
method of "Financial Blockchain Information System 方法“金融區塊鏈信息系統
- External Confirmation Responding Bank Service - 外部確認銀行服務
Connection Specification", which explained the "連接規範",解釋了加密的操作機制。
operation mechanism of encryption. 審查了 4.16.4 業務規則的描述。
Inspected the description of the 4.16.4 business rule
description of "Financial Blockchain Information 金融區塊鏈信息描述
System Requirements Function External 系統需求功能外部
Confirmation Front-end Transaction System 確認前端交易系統
No exceptions noted. 未發現任何例外。
Trust Services Criteria for the 信任服務標準
Confidentiality Category 機密性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
Analysis Specification V1.00", stating that "(6) The 分析規範 V1.00",指出"(6)
system must confuse the generated response files 系統必須混淆生成的響應文件
the data compression password is compressed and 數據壓縮密碼已壓縮並
downloaded to the operator's computer. The server 下載到操作員的計算機。服務器
system does not retain the clear text of the reply. 系統不保留回覆的明文。
After the compressed file is generated, the 生成壓縮文件後,
temporarily generated reply file should be deleted." 應刪除暫時生成的回覆文件。
"Final, the "Financial Blockchain Financing System "最終,與「金融區塊鏈融資系統
Implementation Project"'", which relevant 實施項目」相關
specifications of the system are on the basis of the 系統規格是基於
previous project. 先前的專案。
View the real screen of the database, the 查看數據庫的實際畫面,
information is encrypted" 資訊已加密"
Applicable Trust Services Criteria for the Processing Integrity 處理完整性的適用信任服務標準
The trust services criteria for the Processing Integrity address the need for system processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives. Processing integrity refers to the completeness, validity, accuracy, timeliness, and authorization of system processing. Processing integrity addresses whether systems achieve the aim or purpose for which they exist and whether they perform their intended functions in an unimpaired manner, free from error, delay, omission, and unauthorized or inadvertent manipulation. Because of the number of systems used by an entity, processing integrity is usually only addressed at the system or functional level of an entity. In a SOC for Supply Chain examination, processing integrity refers to whether processing is complete, valid, accurate, timely, and authorized to produce, manufacture, or distribute goods that meet the products' specifications. 處理完整性的信任服務標準涵蓋系統處理需完整、有效、準確、及時且經授權,以滿足實體的目標。處理完整性指系統處理的完整性、有效性、準確性、及時性和授權性。處理完整性涉及系統是否實現其存在的目的或目標,以及它們是否以無誤差、延遲、遺漏和未經授權或不慎操縱的方式執行其預期功能。由於實體使用的系統數量眾多,處理完整性通常僅在實體的系統或功能層面上進行處理。在供應鏈 SOC 審查中,處理完整性指的是處理是否完整、有效、準確、及時且經授權,以生產、製造或分發符合產品規格的商品。
Additional Criteria for Processing Integrity 處理完整性的附加標準
Trust Services Criteria for the Processing 處理的信任服務準則
Integrity Category 完整性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
The organization has established the 組織已建立
documentation "Financial Blockchain 文件"金融區塊鏈
Information System - External 資訊系統 - 外部
Confirmation Responding Bank Service 確認回應銀行服務
Connection Specification" and 連接規範" 和
"Financial Blockchain Information "金融區塊鏈信息
System - External Confirmation 系統 - 外部確認
Auditing Agency Service Connection 審計機構服務連接
Specification" to identify information 規範" 以識別資訊
specifications required to support the 支持產品和服務使用所需的規格。
use of products and services. 檢查了“金融區塊鏈資訊”
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Inspected the "Financial Blockchain Information
System - External Confirmation Responding Bank 系統 - 外部確認回應銀行
Service Connection Specification(V2)" and "Financial 服務連接規範(V2)" 和 "金融
Blockchain Information System - External 區塊鏈信息系統 - 外部
Confirmation Auditing Agency Service Connection 確認審計機構服務連接
Specification(V1)", the information specification of this 規範(V1)",此系統的信息規範已被確認。
system has been identified. 系統已被識別。
About the information specification's definition, which 有關於信息規範的定義,已在“金融區塊鏈信息系統 -
has mentioned in the description of 2.3.8.1, 2.3.9 and 描述 2.3.8.1、2.3.9 和
2.3.10.1 of "Financial Blockchain Information System - 2.3.10.1”中提到。
External Confirmation Responding Bank Service 外部確認回應銀行服務
Connection Specification V2". 連接規範 V2"。
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
No exceptions noted. 未發現任何例外。
Pl1.1
The entity obtains or 實體獲取或
generates, uses, and 生成,使用和
communicates relevant, 交流相關的
quality information 優質信息
regarding the objectives 關於目標
related to processing, 與處理相關,
including definitions of data 包括數據定義
processed and product and 處理和產品和
service specifications, to 服務規格,以
support the use of products 支持產品的使用
and services. 以及服務。
PI1.2
The entity implements 實體實施
policies and procedures 政策和程序
over system inputs, 通過系統輸入,
including controls over 包括對控制的控制
completeness and 完整性和
accuracy, to result in 準確性,以結果為導向
products, services, and 產品、服務和
reporting to meet the 報告以滿足
entity's objectives. 實體的目標。
The organization has established the 組織已建立
documentation "Financial Blockchain 文件"金融區塊鏈
Information System - External 資訊系統 - 外部
Confirmation Responding Bank Service 確認回應銀行服務
Connection Specification" and 連接規範" 和
"Financial Blockchain Information "金融區塊鏈信息
System - External Confirmation 系統 - 外部確認
Auditing Agency Service Connection 審計機構服務連接
Specification" to satisfied following 滿足以下規範"
reauirements: 需求:
Inspected "Financial Blockchain Information System 檢查“金融區塊鏈信息系統"
Requirements Function External Confirmation Front- 需求功能外部確認前端交易系統分析規格 V1.00"
end Transaction System Analysis Specification V1.00" 基於「金融區塊鏈資訊」的系統分析規格 V1.00"
has been based on "Financial Blockchain Information 已經完成。
System - External Confirmation Responding Bank 系統 - 外部確認回應銀行
Service Connection Specification(V2)" and "Financial 服務連接規範(V2)" 和 "金融
Blockchain Information System - External 區塊鏈信息系統 - 外部
Confirmation Auditing Agency Service Connection 確認審計機構服務連接
Specification(V1)" defines the "input" characteristics of "規範(V1)" 定義了處理的 "輸入" 特性
processina.
No exceptions noted. 未發現任何例外。
Trust Services Criteria for the Processing 處理的信任服務準則
Integrity Category 完整性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
1. Identify information specifications 1. 確定滿足需求所需的信息規範
required to meet requirements are 2. 評估處理輸入以滿足
defined.
2. Evaluate the processing inputs for
compliance with defined input 符合定義的輸入
requirements.
3. Ensure the records of system input 3. 確保系統輸入的記錄
activities are created and maintained 活動被創建並維護
completely and accurately in a timely 及時完全準確地
manner.
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
About the data store in "input" process, which has 關於“輸入”過程中存儲的數據,其中包含
mentioned in the description of 4.8 of "Financial 在“財務”4.8 的描述中提到
Blockchain Information System - External 區塊鏈信息系統 - 外部
Confirmation Responding Bank Service Connection 確認銀行服務連接
Specification V2". 規格 V2"。
Inspected the testing result, since the specific field 檢查了測試結果,由於特定字段不能為空且格式已定義,警報
could not be null and the format is defined, the alarm 訊息設計為提醒用戶必須存在
message is designed to remind user must is there's
any data incorrect. 任何數據不正確。
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
Pl1.3
The entity implements 實體實施
policies and procedures 政策和程序
over system processing to 通過系統處理到
result in products, services, 產品、服務的結果,
and reporting to meet the 並進行報告以滿足
entity's objectives. 實體的目標。
The organization has established the 組織已建立
documentation "Financial Blockchain 文件"金融區塊鏈
Information System - External 資訊系統 - 外部
Confirmation Responding Bank Service 確認回應銀行服務
Connection Specification" and 連接規範" 和
"Financial Blockchain Information "金融區塊鏈信息
System - External Confirmation 系統 - 外部確認
Auditing Agency Service Connection 審計機構服務連接
Specification" to satisfied following 滿足以下規範"
requirements: 需求:
1. Ensure the processing specifications 1. 確保符合處理規格
that are necessary to meet product or 產品或需求的必要条件
service requirements are defined. 定義了服務需求。
2. Ensure the processing activities are 2. 確保處理活動被確定為
defined to result in products or services 以產品或服務為結果進行定義
that meet specifications. 符合規格的。
3. Ensure the errors in the production 3. 確保生產過程中的錯誤被檢測並更正。
process are detected and corrected in a
timely manner. 及時。
4. Ensure the system processing 4. 確保系統處理
activities are recorded completely and 活動被完整記錄並
accurately in a timely manner. 準確及時地。
5. Ensure the inputs are processed 5. 確保輸入被處理
completely, accurately, and timely as 完全、準確且及時地。
authorized in accordance with defined 根據已定義的授權
processing activities. 進行處理活動。
The system has established a fool- 系統已建立了一個愚人
proof mechanism for input data when 輸入數據時的驗證機制
inputting relevant information from the 從相關信息輸入時
Inspected "Financial Blockchain Information System 檢查“金融區塊鏈信息系統"
Requirements Function External Confirmation Front- 需求功能外部確認前端交易系統分析規格 V1.00"
end Transaction System Analysis Specification V1.00" 基於「金融區塊鏈資訊」的系統分析規格 V1.00"
has been based on "Financial Blockchain Information 已經完成。
System - External Confirmation Responding Bank 系統 - 外部確認回應銀行
Service Connection Specification V2" and "Financial 服務連接規範 V2" 和 "金融
Blockchain Information System - External 區塊鏈信息系統 - 外部
Confirmation Auditing Agency Service Connection 確認審計機構服務連接
Specification V1" defines the "input" characteristics of 規範 V1" 定義了 "輸入" 特性
processing.
About the data store in "data processing" process, 關於在 "數據處理" 過程中存儲的數據
which has mentioned in the description of 4.8 of 在 4.8 的描述中提到了
"Financial Blockchain Information System - External "金融區塊鏈信息系統 - 外部
Confirmation Responding Bank Service Connection 確認銀行服務連接
Specification V2". 規格 V2"。
As for the inputs are processes completely, accurately 至於輸入是完全、準確且及時進行處理,並獲得授權,這已在
and timely as authorized, which has mentioned in the 中提到。
description of 5.3 of "Financial Blockchain Information 《金融區塊鏈信息系統 - 外部確認銀行服務連接規範 V2》5.3 描述
System - External Confirmation Responding Bank 系統 - 外部確認回應銀行
Service Connection Specification V2". 服務連接規範 V2
View the evidence screen of the system's fool-proof 查看系統的防範機制證據屏幕
mechanism and the real screen of the database, the 和數據庫的真實屏幕,信息已加密
information is encrypted
No exceptions noted 未發現任何例外情況
Confidential 機密
Trust Services Criteria for the Processing 處理的信任服務準則
Integrity Category 完整性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
confirmation inquiry and reply to unit. 確認查詢和回覆單位。
The relevant data processing and 相關的數據處理和
transmission process will exist in the 傳輸過程將以證書的形式存在於
system in the form of certificate 系統中
encryption, and the system will not 加密,系統將不會
keep a temporary file after the data 在數據傳輸完成後保留臨時文件
transmission is completed. 完成傳輸。
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
Pl1.4
The entity implements 實體實施
policies and procedures to 政策和程序
make available or deliver 使可用或交付
output completely, 完全、
accurately, and timely in 準確且及時地
accordance with 根據
specifications to meet the 符合規格以滿足
entity's objectives. 實體的目標。
The organization has established the 組織已建立
documentation "Financial Blockchain 文件"金融區塊鏈
Information System - External 資訊系統 - 外部
Confirmation Responding Bank Service 確認回應銀行服務
Connection Specification" and 連接規範" 和
"Financial Blockchain Information "金融區塊鏈信息
System - External Confirmation 系統 - 外部確認
Auditing Agency Service Connection 審計機構服務連接
Specification" to satisfied following 滿足以下規範"
requirements: 需求:
1. Ensure the output is protected when 1. 確保輸出在存儲或交付時受到保護,以防止
stored or delivered, or both, to prevent 被竊取、破壞、損壞或
theft, destruction, corruption, or 任何其他形式的損害。
deterioration that would prevent output 會導致輸出不符合規格的惡化。
from meeting specifications. 3. 確保輸出是分佈的或
2. Ensure the output is distributed or 2. 確保輸出是分佈的或
made available only to intended parties. 只提供給預定的各方。
3. Provide for the completeness, 3. 確保完整性,
accuracy, and timeliness of distributed 準確性和分發的及時性。
output.
4. Ensure the records of system output 4. 確保系統輸出的記錄
activities are created and maintained 活動被創建並維護
completely and accurately in a timely 及時完全準確地
manner.
Inspected "Financial Blockchain Information System 檢查“金融區塊鏈信息系統"
Requirements Function External Confirmation Front- 需求功能外部確認前端交易系統分析規格 V1.00"
end Transaction System Analysis Specification V1.00" 基於「金融區塊鏈資訊」的系統分析規格 V1.00"
has been based on "Financial Blockchain Information 已經完成。
System - External Confirmation Responding Bank 系統 - 外部確認回應銀行
Service Connection Specification(V2)" and "Financial 服務連接規範(V2)" 和 "金融
Blockchain Information System - External 區塊鏈信息系統 - 外部
Confirmation Auditing Agency Service Connection 確認審計機構服務連接
Specification(V1)" defines the "input" characteristics of "規範(V1)" 定義了處理的 "輸入" 特性
processing.
About the data store in "output" process, which has 有關於“輸出”過程中存儲的數據
mentioned in the description of 4.8 of "Financial 在“財務”4.8 的描述中提到
Blockchain Information System - External 區塊鏈信息系統 - 外部
Confirmation Responding Bank Service Connection 確認銀行服務連接
Specification V2". 規格 V2"。
As for the outputs are processes completely, 至於輸出是否完全處理完成,
accurately and timely to meet specifications, which 準確且及時地符合規格
has mentioned in the description of 5.3 of "Financial 在“財務
Blockchain Information System - External 區塊鏈信息系統 - 外部
Confirmation Responding Bank Service Connection 確認銀行服務連接
Specification V2". 規格 V2"。
No exceptions noted. 未發現任何例外。
Trust Services Criteria for the Processing 處理的信任服務準則
Integrity Category 完整性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
Pl1.5
The entity implements 實體實施
policies and procedures to 政策和程序
store inputs, items in 存儲輸入,項目
processing, and outputs 處理和輸出的描述中提到
completely, accurately, and 完全、準確且
timely in accordance with 及時地按照
system specifications to 系統規格進行
meet the entity's 遇見實體的
objectives.
The organization has established the 組織已建立
documentation "Financial Blockchain 文件"金融區塊鏈
Information System - External 資訊系統 - 外部
Confirmation Responding Bank Service 確認回應銀行服務
Connection Specification" and 連接規範" 和
"Financial Blockchain Information "金融區塊鏈信息
System - External Confirmation 系統 - 外部確認
Auditing Agency Service Connection 審計機構服務連接
Specification" to satisfied following 滿足以下規範"
requirements: 需求:
1. Ensure the stored items are 1. 確保存儲的物品
protected to prevent theft, corruption, 受到保護,以防止被竊取、損壞,
destruction, or deterioration that would 破壞或惡化可能會
prevent output from meeting 阻止輸出符合
specifications.
2. Ensure the system records are 2. 確保系統記錄是
archived and archives are protected 存檔和檔案受到保護
against theft, corruption, destruction, or 免受盜竊、損壞、破壞或
deterioration that would prevent them 使它們無法被保存的惡化
from being used. 從被使用。
3. Provide for the complete, accurate, 3. 提供完整、準確且及時的數據存儲。
and timely storage of data. 資料的完整、準確和及時存儲。
4. Ensure the records of system 4. 確保系統存儲活動的記錄完整且準確
storage activities are created and 創建和維護系統存儲活動的記錄
maintained completely and accurately 完全且準確地維護
in a timely manner. 及時。
Inspected "Financial Blockchain Information System 檢查“金融區塊鏈信息系統"
Requirements Function External Confirmation Front- 需求功能外部確認前端交易系統分析規格 V1.00"
end Transaction System Analysis Specification 結束交易系統分析規格。
V1.00," were developed based on "Financial V1.00,是基於"財務"開發的。
Blockchain Information System - External 區塊鏈信息系統 - 外部
Confirmation Responding Bank Service Connection 確認銀行服務連接
Specification(V2)" and "Financial Blockchain 規範(V2)" 和 "金融區塊鏈
Information System - External Confirmation Auditing 信息系統 - 外部確認審計
Agency Service Connection Specification(V1)" 機構服務連接規範(V1)"
As for how to ensure the data completely and 關於如何確保數據完整和
accurately, which has mentioned in the description of 準確性,這已在“金融區塊鏈信息系統-描述中提到
5.3 of "Financial Blockchain Information System - 5.3”。
External Confirmation Responding Bank Service 外部確認回應銀行服務
Connection Specification V2". 連接規範 V2"。
Inspected "Financial Blockchain Information System - 審核"金融區塊鏈信息系統 - 外部確認銀行服務"和
External Confirmation Responding Bank Service" and 確認審計機構服務 V1" 使用 MS
"Financial Blockchain Information System - External "金融區塊鏈信息系統 - 外部
Confirmation Auditing Agency Service V1" use MS
SQL database system to satisfy following 滿足以下條件的 SQL 數據庫系統
requirements: 需求:
1. Store and protect "system records" 1. 存儲和保護“系統記錄”
2. Store data completely and accurately. 2. 完整準確地存儲數據。
3. Create and maintain "system storage operation 3. 創建並維護“系統存儲操作
records".
Inquired the responsible staff of MS SQL database, 查詢 MS SQL 數據庫的負責人員,
FISC uses online instant remote backup in Taichung FISC 在台中使用在線即時遠程備份
to protect DB system files. Also, physical isolation and 保護資料庫系統檔案。同時實施物理隔離和
access controls are implemented. For privileged 存取控制。對於特權
account, the application is required. 帳戶,應用程式是必需的。
Inspected the "Open Host SQL Server Database 檢查了“開放主機 SQL Server 資料庫
Routine Maintenance Checklist", and the daily 常規維護檢查表”,以及每日
database management personnel perform the 數據庫管理人員執行
following tasks: 以下任務:
1. View the execution status of all database server 1. 查看所有資料庫伺服器的執行狀態
SQL Server services. SQL Server 服務。
No exceptions noted. 未發現任何例外。
Trust Services Criteria for the Processing 處理的信任服務準則
Integrity Category 完整性類別
Description of FISC Service FISC 服務描述
Organization's Controls 組織的控制
Service Auditor's Tests of Controls 服務稽核師對控制措施的測試
Results of Service 服務結果
Auditor's Tests of 審計師的測試
Controls
2. View the execution status of all database servers 2. 查看所有資料庫伺服器的執行狀態
SQL Server agent services. SQL Server 代理程式服務。
3. View the error log file of the database server. 3. 查看資料庫伺服器的錯誤記錄檔。
4. View the database host system events. 4. 查看資料庫主機系統事件。
5. Check the execution status of database backup. 5. 檢查資料庫備份的執行狀態。
6. Check the available space of the database server 6. 檢查資料庫伺服器的可用空間。
disk.
7. Check the available space of the database. 7. 檢查數據庫的可用空間。
8. View the execution status of scheduled 8. 查看數據庫伺服器上預定操作的執行狀態。
operations on the database server.
Inspected the "Open Host SQL Server Database 檢查了“開放主機 SQL Server 資料庫
Routine Maintenance Checklist", and the database 常規維護檢查表”,以及資料庫
administrators perform the following tasks every 管理員每隔
week:
1. Perform a database integrity check. 1. 執行資料庫完整性檢查。
2. Perform database index optimization operations. 2. 執行資料庫索引優化操作。
3. Update and review of database statistics. 3. 更新並審查資料庫統計資料。
4. View the growth attributes of database files. 4. 查看資料庫檔案的成長屬性。