|
US$299.00 · In stock
Delivery: <= 3 days. True-PDF full-copy in English will be manually translated and delivered via email.
JR/T 0192-2020: (Security Regulations for Mobile Internet Applications in the Securities and Futures Industry)
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| JR/T 0192-2020 | English | 299 |
Add to Cart
|
3 days [Need to translate]
|
(Security Regulations for Mobile Internet Applications in the Securities and Futures Industry)
| Valid |
JR/T 0192-2020
|
PDF similar to JR/T 0192-2020
Basic data | Standard ID | JR/T 0192-2020 (JR/T0192-2020) | | Description (Translated English) | (Security Regulations for Mobile Internet Applications in the Securities and Futures Industry) | | Sector / Industry | Finance Industry Standard (Recommended) | | Classification of Chinese Standard | A11 | | Word Count Estimation | 12,137 | | Date of Issue | 2020-07-10 | | Date of Implementation | 2020-07-10 | | Regulation (derived from) | CSRC Announcement (2020) No. 40 | | Issuing agency(ies) | People's Bank of China | JR/T 0192-2020: (Security Regulations for Mobile Internet Applications in the Securities and Futures Industry)
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Security specification for mobile internet application of securities and futures industry
ICS 03.060
A 11
JR
People's Republic of China Financial Industry Standards
Mobile Internet Application for Securities and Futures Industry
safety regulations
2020-07-10 release
2020-07-10 Implementation
Issued by China Securities Regulatory Commission
Table of contents
Foreword...II
Introduction...III
1 Scope...1
2 Normative references...1
3 Terms and definitions...1
4 Mobile terminal security...2
4.1 Mobile Internet Applications...2
4.2 Mobile terminal environment...2
4.3 Installation and Uninstallation...2
4.4 Upgrade and update...2
5 Identity authentication...2
5.1 Identification method...2
5.2 Authentication data protection...3
5.3 Password security...3
6 Network Communication Security...3
6.1 Communication protocol...3
6.2 Session Management...3
6.3 Third-party network communication...3
7 Data Security...4
7.1 Data Entry...4
7.2 Data storage...4
8 Development Security...4
8.1 Safety requirements...4
8.2 Security Development...4
8.3 Safety test...4
8.4 Security Release...4
9 Security Audit...4
9.1 Log generation...5
9.2 Log Management...5
References...6
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard was proposed by the Securities Sub-Technical Committee of the National Financial Standardization Technical Committee (SAC/TC 180/SC4).
This standard is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC 180).
Drafting organizations of this standard. China Securities Regulatory Commission Information Center, Shanghai Stock Exchange, Shenzhen Stock Exchange, China Securities Regulatory Commission
Information Technology Services Co., Ltd., Shanghai Futures Exchange, Dalian Commodity Exchange, China Financial Futures Exchange, China Securities
Accounting Co., Ltd., China Futures Market Monitoring Center Co., Ltd., China Futures Association, Industrial Securities Co., Ltd.,
Taijunan Securities Co., Ltd., Soochow Securities Co., Ltd., Everbright Securities Co., Ltd., Huatai Securities Co., Ltd.,
Haitong Futures Co., Ltd., Industrial Fund Management Co., Ltd., the Third Research Institute of the Ministry of Public Security, Shanghai Information Security Evaluation and Certification Center.
The main drafters of this standard. Yao Qian, Liu Tiebin, Zhou Yunhui, Ye Jing, Zhu Li, Ma Qingping, Gan Zhangsheng, Chen Lei, Ju Hongwei, Wei Fei,
Ding Xinjie, Feng Xiaogen, Jiao Dongliang, Zhou Yu, Cui Huiyang, Ai Qing, Wang Yue, Chen Kaihui, Mei Kebo, Hua Renjie, Liu Song, Zhang Song, Wang Yong
Bin, Xu Zhengwei, Zhang Yan, Li Hongda.
Introduction
With the vigorous rise of emerging technologies of the mobile Internet, an endless stream of innovative businesses has emerged in the areas of business model application and technological risk control.
Facing the financial industry poses new challenges. In the current wave of Internet finance, the pressure on information system construction and safe operation is increasing.
The information security situation is becoming increasingly complex. The security issues of mobile Internet applications (APP) in the financial industry are particularly severe.
In order to strengthen the standardized management of mobile Internet application information services, the state encourages relevant industry associations to formulate self-regulatory management in accordance with the law
System to strengthen the protection of user rights.
Industry’s mobile terminal application security regulations, conduct security testing and risk assessment on mainstream mobile terminal applications in the market, and improve monitoring channels and
Early warning mechanism, establish a mobile terminal application security risk warning system, and promptly discover and report design flaws and security vulnerabilities in mobile terminal applications,
As well as counterfeit and tampered mobile terminal applications. Supervise operating agencies to strengthen the safety management of mobile terminal applications, and effectively increase investor risks
Awareness of prevention.
Security Regulations for Mobile Internet Applications in the Securities and Futures Industry
1 Scope
This standard specifies mobile terminal security, identity authentication, network communication security, and data security for mobile Internet applications in the securities and futures industry.
Complete, develop safety and safety audit.
This standard applies to the development and release of mobile Internet applications by securities and futures industry institutions.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 22239-2008 Information Security Technology Information System Security Level Protection Basic Requirements
GB/T 25069-2010 Information Security Technical Terms
JR/T 0060-2010 Basic requirements for security level protection of information systems in the securities and futures industry
3 Terms and definitions
The following terms and definitions defined in GB/T 25069-2010, GB/T 22239-2008 and JR/T 0060-2010 apply to this article
Pieces.
3.1
Mobile terminal
Representatives of smart devices such as mobile phones and tablet computers can install and use securities and futures mobile Internet applications.
Computer equipment used in.
3.2
Mobile internet application; app
Installed on the mobile terminal, used for securities and futures inquiry, trading, business handling and other business-related native applications.
Note. Mobile Internet applications include, but are not limited to, mobile Internet applications related to business processing, securities and futures trading, office, information disclosure
Public mobile Internet applications, mobile Internet applications issued by other participating institutions (service agencies) in the securities and futures industry.
3.3
Customer information
The mobile Internet application program is related to a specific natural person or legal person, which can be identified alone or in combination with other information.
Determine the computer data of a natural person.
Note. Computer data is a set of data related to the identity and property attributes of natural persons.
3.4
Sensitive information
Once leaked, illegally provided, or abused, it may endanger personal and property safety, and easily cause personal or corporate reputation and property damage, etc.
Personal and corporate information.
4 Mobile terminal security
4.1 Mobile Internet applications
The mobile Internet application program is stored on the mobile terminal in the form of an independent program, and it should meet the security requirements.
a) Adopt anti-dynamic debugging, code obfuscation, anti-reverse technologies to protect key codes and core logic;
b) No interface of any type that violates and bypasses security measures and interfaces of any mode not explained in the development document should not be designed;
c) Ensure the confidentiality of input information, such as adopting custom keyboards, random keyboard positions, and preventing keyboard eavesdropping techniques;
d) Identify the legality of the input information;
e) Do not access, modify, or delete data irrelevant to the business on the mobile terminal without the user's permission;
f) To obtain other permissions on the mobile terminal, the user should be prompted in an obvious way, including but not limited to icons, text and sound prompts;
g) Have an integrity check mechanism to prevent re-signature and secondary packaging. Critical verification codes should be protected;
h) When an exception occurs, clear and easy-to-understand business operation information should be prompted to avoid directly returning the program code error to the user.
4.2 Mobile terminal environment
The mobile terminal environment should support the following security checks.
a) Mobile Internet applications should check the security of the operating environment before each run, and prompt the risks found;
b) During the startup and operation of mobile Internet applications, corresponding process protection measures should be taken to prevent illegal programs from acquiring the process
Access rights;
c) Effective measures should be taken to monitor and report the environmental safety status of the mobile terminal to the background system and stop the operation of the application when necessary.
4.3 Installation and Uninstallation
The installation of mobile Internet applications needs to be clearly authorized, and the mobile terminal environment should not be damaged during the installation process. When uninstalling, it should be able to
Delete the data and information generated by it. Installation and uninstallation should meet the following requirements.
a) During installation, the user should be prompted to enter the terminal resources (including communication resources and peripheral interfaces), terminal permissions and terminal data used by them.
Line confirmation
b) The cached data during installation and use should be completely deleted, and there should be a prompt when deleting the data generated during the user's use;
c) The functions of the terminal operating system and other application software should not be affected.
4.4 Upgrade and update
Mobile Internet applications should support software security updates and improve security in a timely manner. Upgrades and updates should meet the following requirements.
a) Authenticity and integrity verification should be performed when updating to prevent mobile Internet applications from being tampered with or replaced;
b) At least one security mechanism shall be adopted to ensure the timeliness of the upgrade, such as automatic upgrade, update notification and other means;
c) When an upgrade is required due to major security issues, the user can be forced to upgrade only after the application market permits.
5 Identification
5.1 Identification method
Mobile Internet applications should meet the following authentication methods and safety technical requirements.
a) For key businesses such as capital transactions and customer information modification, a second authentication link should be added, and the
The local information of the client is activated for authentication. Authentication methods include passwords, biometrics, SMS, tokens, graphic gestures, etc.
At least one
b) If the third-party mobile Internet application certification method is adopted, the mobile Internet application of the industry organization should be used again
Account name and password registration and verification;
c) Measures should be taken to limit the number of consecutive login failures, such as setting the upper limit of the number of login failures and account lockout after multiple login failures
Strategy etc.;
d) It shall have the login timeout lock or logout function, and the login session shall be terminated if there is no operation within the set time period,
You need to perform identity authentication again to be able to re-operate.
5.2 Authentication data protection
The following authentication data protection functions shall be provided.
a) There should be no unauthorized access or modification;
b) For key services such as capital transactions and customer information modification, it is advisable to remind users through multimedia methods such as SMS;
c) The binding object of identity authentication is user identity information, which is not limited to the single information of mobile terminal equipment.
5.3 Password security
The security of the password shall be guaranteed and the following security requirements shall be met.
a) The password should not be stored in the local storage of the mobile terminal in any form;
b) Passwords should not be transmitted in clear text during transmission, and national encryption algorithms or international data encryption algorithms should be used;
c) Passwords are prohibited from being output in the cache and logs;
d) When entering password information, technical measures should be taken to prevent the password from being stolen;
e) By default, the password input box prohibits displaying the password in plain text;
f) Password complexity checking function should be provided to prevent users from setting easy-to-guess passwords;
g) The user's identity should be verified before changing the password.
6 Network communication security
6.1 Communication protocol
When the mobile Internet application communicates with the server, it should meet the following requirements.
a) Secure communication protocols and encryption algorithms should be used, and the validity of the server certificate should be verified when sensitive data is transmitted;
b) The security version of the communication protocol should be used, and the support for the version of the protocol with security risks should be cancelled;
c) The security encryption algorithm and key length approved by the national cryptography authority should be used.
6.2 Session Management
When the mobile Internet application communicates with the server, it should meet the following requirements.
a) The sensitive data cache should be cleared immediately after the session ends to prevent information leakage;
b) Information prompts should be given to users when logging in on different mobile terminals;
c) All requests in the session management stage after the login is completed need to authenticate the legal identity of the user, and the authentication can be entered.
Row operation.
d) Session protection measures should be taken to prevent the session between the software and the background server from being eavesdropped, tampered with, forged, replayed, etc.;
e) It should be ensured that the session is safely terminated after the user performs logout/logout;
f) A reasonable account login timeout control strategy should be designed. When the user is idle and online exceeds the time limit, the user will automatically exit the login state;
g) The number of concurrent sessions should be limited, and the number of concurrent sessions of the same user should be limited to prevent malicious users from creating multiple concurrent sessions
To consume system resources and affect business availability.
6.3 Third-party network communication
For communication between mobile Internet applications and servers, if a third-party server is used, the server and mobile Internet applications should be established.
The encrypted secure channel between the sequences prevents the information from being intercepted or tampered with by a third party.
7 Data security
7.1 Data Entry
The mobile Internet application shall meet the following requirements when entering data.
a) When the user enters the password and other sensitive customer information, it should not be displayed in plain text;
b) Mobile Internet applications should support a mechanism to automatically clear sensitive customer information on the interface after the interface returns.
7.2 Data storage
When storing data in mobile Internet applications, the following requirements should be met.
a) Mobile Internet applications should not store sensitive customer information without the customer’s permission or knowledge, and should not use any form of
Store password information;
b) After the mobile Internet application is deleted, all customer information in the mobile terminal should be cleared;
c) When the mobile Internet application exits, the customer's sensitive data should be cleared or encrypted.
8 Development security
8.1 Security requirements
The security requirements of mobile Internet applications should be formulated during architecture design, and the security functions that mobile Internet applications should have should be described.
8.2 Security development
When developing mobile Internet applications, the following requirements should be met.
a) Encoding security should be considered during the development of mobile Internet applications to reduce application security loopholes;
b) The third-party development tools and third-party plug-ins used should be safe;
c) The authentication logic and verification functions should be completed on the server side.
8.3 Safety test
Mobile Internet applications should meet the following security functional requirements.
a) Security testing and penetration testing should be carried out before mobile Internet applications are developed and officially launched;
b) Safety function operation documents shall be provided, and safety function test documents shall be provided.
8.4 Security release
When mobile Internet applications are released, they should meet the following requirements.
a) When the official version is released, the test data and all codes used for debugging should be deleted;
b) Mobile Internet applications should be signed with the issuing agency’s certificate to identify the publisher of the application, and the signing certificate should be
Special post management;
c) Mobile Internet applications should have a standardized online release process, and provide safe and reliable mobile application software download, release,
Upgrade channels.
9 Security Audit
9.1 Log generation
The basic requirements for log production include.
a) The log should include the date, time, user ID, unique device ID, device model, device version, network
Information such as type, event description and results;
b) The log should truthfully record various important operations of the user, such as the success and failure of user login; the number of verification failures exceeds the threshold.
Session connection termination, etc.;
c) The officially released mobile terminal program cannot include the logs during the debugging process.
9.2 Log Management
Log management should meet the following requirements.
a) The log should be stored in a non-volatile storage medium after power failure;
b) Only authorized users are allowed to access logs in read-only form, and log auditing is supported;
c) The log should have query function;
d) The log should not record sensitive customer information;
e) The log should be stored on the server side;
f) The log should be kept for no less than twelve months to meet the needs of business management, auditing, supervision and inspection.
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of JR/T 0192-2020_English be delivered?Answer: Upon your order, we will start to translate JR/T 0192-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of JR/T 0192-2020_English with my colleagues?Answer: Yes. The purchased PDF of JR/T 0192-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|