证券行业迎来网络和信息安全大考

Core Viewpoint - The implementation of the "Securities Company Network and Information Security Three-Year Enhancement Plan (2023-2025)" has led to a comprehensive evaluation of the securities industry's network and information security, focusing on the results of investments and developments over the past three years [1] Group 1: Evaluation Framework - The evaluation will be based on 71 specific indicators, categorized into "mandatory tasks" and "encouraging tasks," with 55 mandatory tasks and 16 encouraging tasks [2] - The evaluation covers key aspects of the entire lifecycle of securities firms' information systems, from top-level design to operational support and security protection [2] Group 2: Focus Areas - The evaluation emphasizes six core areas: improving technology governance, establishing a reasonable technology investment mechanism, enhancing information system architecture control, strengthening system development and testing management, solidifying operational support capabilities, and improving information security protection systems [2] - Technology investment is highlighted as a critical area, with specific quantitative indicators set for technology spending, including a requirement for average annual IT investment to be at least 10% of average net profit or 7% of average revenue from 2023 to 2025 [3] Group 3: System Architecture and Management - Enhancing information system architecture control and development management is identified as a core focus, with specific tasks aimed at improving system architecture management mechanisms and increasing core system autonomy [3] - The evaluation includes 19 tasks related to operational support, emphasizing the importance of emergency response management and data backup capabilities following recent system outages in the industry [4] Group 4: Information Security Protection - The evaluation includes 21 tasks related to strengthening the information security protection system, with a focus on vulnerability management, attack prevention, and data security management [4] - Key tasks such as enhancing network security situational awareness and data security management system construction are highlighted, reflecting regulatory emphasis on data safety and proactive defense capabilities [4]