|
Article 1
|
These Regulations are stipulated in accordance with Paragraph 4 of Article 8 and Paragraph 3 of Article 16 of the Cyber Security Management Act (hereinafter referred to as “the Act”).
|
Info
|
|
Article 2
|
Government agencies must conduct their cyber security maintenance plans in accordance with Paragraph 1 of Article 9 of the Enforcement Rules of the Act.
Government agencies submitting reports on the implementation of cyber security maintenance plans un-der Article 14 of the Act shall comply with the requirements specified in Paragraph 2 of Article 9 of the Enforcement Rules.
|
Info
|
|
Article 3
|
Government agencies must submit reports on the implementation of their cyber security maintenance plans through the system platform designated by the competent authority. However, in cases of special circumstances, other appropriate methods may be used with the approval of the competent authority.
|
|
|
Article 4
|
Government agencies designated in Article 14 of the Act that receive reports on cyber security mainte-nance plans shall annually establish audit plans and monitor the audit implementation for their subordi-nate or supervisory government agencies, their governed villages (townships/cities), mountain indigenous district offices of special municipalities, and the subordinate or supervisory government agencies of such governed villages (townships/cities) and mountain indigenous district offices of special municipalities, and the representative councils of the above said villages (townships/cities) and Mountain Indigenous Districts of Special Municipalities councils.
|
Info
|
|
Article 5
|
The competent authority shall select and determine the government agencies and the specific non-government agencies, and may audit the implementation of their cyber security maintenance plans through onsite audit or in a proper manner every year.
Except in cases of force majeure, government agencies shall annually select and determine their subordi-nate or supervisory government agencies, their governed villages (townships/cities), mountain indigenous district offices of special municipalities, and the subordinate or supervisory government agencies of such governed villages (townships/cities) and mountain indigenous district offices of special municipalities, and the representative councils of the above said villages (townships/cities) and Mountain Indigenous Districts of Special Municipalities councils. They may audit the implementation of their cyber security maintenance plans through onsite audit or in a proper manner every year.
|
|
|
Article 6
|
In selecting and determining the audited agencies, the competent authority and government agencies (hereinafter collectively referred to as the “audit agency”) shall give comprehensive consideration to the significance and confidential sensitivities of its businesses, the size and nature of their information and communication systems, the frequencies and degrees of occurrence of cyber security incidents, the re-sults of cyber offense and defense exercise, the frequencies and results of audits conducted by the government agencies that receive reports on cyber security maintenance plans, the central competent authority in charge of the relevant sector or other business agencies over past years as defined in Article 14 of the Act, or other factors relating to cyber security.
The annual plan prescribed in Paragraph 5 of Article 8 of the Act, and the audit plan prescribed in Article 4, shall include at least the following items in their content:
1. Basis for audit.
2. Purpose of audit.
3. Scope of audit.
4. Work schedule.
5. Composition of the audit team.
6. Duty of confidentiality.
7. Principles for selecting audited agencies.
8. Audit criteria.
9. Audit methodology and scope.
When the audit agency establishes the said annual plan or audit plan, the agency shall take into compre-hensive consideration the cyber security policy of our country, domestic and foreign cyber security trends, the contents and results of past audit programs, and any other factors relating to the proper alloca-tion of audit resources or audit effectiveness.
|
Info
|
|
Article 7
|
When the audit agency conducts audit, the agency shall deliver the notice in writing to the audited agen-cy one month before the audit.
Due to business factor or other justifiable reason, the audited agency may apply to the said audit agency for adjustment of the audit date within 5 days of the receipt of the preceding notice in writing.
The preceding application is limited to one time except for the case of force majeure.
|
|
|
Article 8
|
When the audit agency conducts audit, the agency may require the audited agency to give explanations on, to collaborate the implementation of cyber security maintenance plan, or provide relevant documents and supporting information for inspection by audit team, and conduct the following issues. The audited agency and its personnel shall cooperate accordingly:
1. Pre-audit interview.
2. Onsite audits or other suitable audit approaches.
The audited agency cannot give the explanations, collaborate or provide documentation for inspector of audit team under the preceding paragraph for justifiable reasons under the law, they shall submit the rea-sons in writing to the said audit agency. After receipt, the agency shall conduct the review.
When the audit agency conducts the review referred to above, and it finds sufficient grounds, it shall document the review basis and relevant information in the audit report and may suspend all or part of the audit proceedings. When it finds no sufficient grounds, it shall require the audited agency to proceed as required in Paragraph 1. When the audit operation is suspended, the audit agency referred to in Paragraph 1 may continue the audit at other time period and deliver the audit program notice in writing to the audit-ed agency ten days before the audit.
|
|
|
Article 9
|
When the audit agency conducts audit, the agency shall form an audit team composed of three to more people respectively for each audited agency, depending on the considerations under Paragraph 1 of Article 6.
Informing the audit team under the preceding paragraph, the audit agency shall, taking the needs of the audit into consideration, invite representatives of government agencies or experts and scholars who have professional knowledge of cyber security policies or have professional knowledge of technologies, man-agements, law affairs required for such audit to act as members of such team, of which the number of representatives of the government agency may not be less than one-fourth of all members.
The audit agency shall sign, in writing, with members of audit teams on recusal due to interest conflicts and confidentiality obligations.
Where the member of audit team under Paragraph 2 has any of the following circumstances, he shall avoid himself from acting as the member of that audit team:
1. He, his spouse, his relatives within the third degree, his family member, or the trustee of the prop-erty trusts of above-mentioned persons have a property or non-property interest relationship with the audited agency or the representative or the responsible person thereof.
2. He, his spouse, his relatives within the third degree or his family member has employment, con-tract, appointment, agency or other similar relationship with the audited agency or the representa-tive or the responsible person in the current or the past two years.
3. He has served in the current or past two years to be a consultant of the audited agency and his men-toring project is related to the audit program.
4. Other circumstance that may be considered that his role as a member of the audit team might affect the impartiality of the audit result.
|
Info
|
|
Article 10
|
The audit agency shall, within one month after the completion of the audit operations on the audited agency as designated for each quarter, deliver the audit reports to the audited agencies for the quarter.
The contents of the preceding audit reports shall include the scope of the audit, flaws or items to be im-proved, the status and reasons for the failures of the audited agency to give explanations, collaborate or provide documentations for inspections by audit team under Paragraph 2 of Article 8, and the audit re-sults of the audit agency under Paragraph 3 of the same article, and other necessary contents relating to the audit.
|
Info
|
|
Article 11
|
When an audited agency discovers deficiencies or areas requiring improvement in the implementation of its cyber security maintenance plans, it must submit an improvement report within one month following receipt of the audit results from the audit agency. This report shall be submitted in accordance with Paragraph 1 of Article 6 of the Enforcement Rules of the Act to the government agencies that receive reports on cyber security maintenance plans as specified in Article 14 of the Act, or to the central competent authority in charge of the relevant sector for review. The reviewing agency shall then forward the report to the competent authority. For audits conducted pursuant to Paragraph 2 of Article 5, the audit agency shall submit the audit results to the competent authority.
After the audited agency submits an improvement report, it shall submit the implementation status of that report to the government agencies that receive reports on cyber security maintenance plans as specified in Article 14 of the Act, or to the central competent authority in charge of the relevant sector for review in accordance with Paragraph 2 of Article 6 of the Enforcement Rules of the Act. The reviewing agency shall then forward the report to the competent authority.
When the agency receiving the improvement report and information on the implementation of such re-port deems it necessary, it may require the audited agency to provide clarification or make adjustments.
|
Info
|
|
Article 12
|
During audits, the competent authority may require agencies that received cyber security maintenance plans as specified in Article 14, Paragraph 3 of Article 20, and Paragraph 2 of Article 21 of the Act to dispatch representatives or provide other necessary cooperation.
|
Info
|
|
Article 13
|
The competent authority may appoint the Administration for Cyber Security of the Ministry of Digital Affairs to handle the audit of the implementation status of the cyber security maintenance plan stipulated in these Regulations, the submission of improvement reports, and other related matters.
|
|
|
Article 14
|
These Regulations shall come into effect on the date of promulgation.
|
|