中证协全面启动券商网安“期末考” 六大领域成果迎系统检阅

Core Viewpoint - The China Securities Association has issued a three-year enhancement plan for network and information security for securities firms, requiring them to submit a survey by February 15, 2026, focusing on the completion of rigid indicators and quantifiable data [1] Group 1: Technology Governance - The survey emphasizes the integration of network and information security into the overall technology strategy of securities firms, ensuring a clear implementation path [2] - A robust governance structure is essential for the execution of the strategy, requiring clear responsibilities and regular meetings of governance organizations [2] - The assessment encourages the establishment of a standardized management framework covering the entire lifecycle of information systems, from development to operation and security [2] Group 2: Compliance and Risk Management - Securities firms are required to enhance internal compliance and risk management, establishing a three-line defense mechanism to identify risks and issues [4] Group 3: Resource and Talent Management - A scientific and reasonable technology investment mechanism is a key focus, with firms needing to ensure that annual IT investments meet at least 10% of net profit or 7% of operating revenue [6] - The assessment also considers the full chain mechanism for attracting, training, utilizing, and retaining cybersecurity professionals [6] Group 4: System Architecture - The survey investigates the depth of transformation in information system architecture, focusing on the establishment of specialized architect teams for unified planning and management [8] - It also examines the progress in enterprise-level architecture capabilities and the migration from traditional centralized architectures to distributed, low-latency, and open architectures [8][9] Group 5: Research and Testing - The assessment aims to promote early integration of security and quality requirements in the software development lifecycle, emphasizing the establishment of standardized demand design mechanisms [11] - It requires firms to implement comprehensive code auditing standards and ensure 100% audit coverage for self-developed code [12] Group 6: Operational Assurance - The evaluation covers the resilience, intelligence, and efficiency of the operational system, requiring comprehensive assessments for system launches and detailed change management processes [14] - Firms must establish a multi-dimensional monitoring system and leverage AI for fault detection and recovery [14] Group 7: Security Protection - The assessment focuses on the establishment of a robust information security protection system, including compliance with cybersecurity classification protection systems [16] - It emphasizes the need for a closed-loop vulnerability management mechanism integrated into the development process and proactive defense capabilities [16][17]