|
Article 1
|
These Regulations are stipulated in accordance with Paragraph 2 of Article 9 of the Cyber Security Management Act (hereinafter referred to as “the Act”).
|
Info
|
|
Article 2
|
The term cyber security information (hereinafter referred to as “the Information”) as used in these Regulations refers to the information in each subparagraph:
1. Malicious detections or collections activity of information and communication system.
2. Security vulnerabilities of information and communication system.
3. The methods that invalidate the information and communication systems security control measure or make use of the security vulnerability.
4. The information relating to malicious programs.
5. The actual damage or possible negative impact caused by cyber security incident.
6. Relevant measures that are taken to detect, prevent from or respond to the circumstances under the preceding five subparagraphs or to mitigate the damage.
7. Other information relating to cyber security incidents.
|
|
|
Article 3
|
The competent authority shall conduct international cooperation in the matters of cyber security information sharing.
The competent authority and government agencies shall share cyber security information.
The central competent authority in charge of the relevant sector and the specific non-government agency under their charge shall share cyber security information.
Except for the competent authority or the central competent authority in charge of the relevant sector, other government agencies or specific non-government agency under their charge are not required to re-share information that has already been shared or disclosed to the public.
When the competent authority or the central competent authority in charge of the relevant sector deter-mines that the cyber security information shared under the Paragraph 2 or 3 is sufficient to prevent other agency from the occurrence of cyber security incident or to mitigate their damage, the competent authority or the central competent authority in charge of the relevant sector may present incentive commenda-tion.
|
|
|
Article 4
|
The cyber security information under any of the following circumstances may not be shared:
1. The information involving business secret or relating to business operation of individual, juristic person or organization, of which the disclosure or provision might infringe upon right or other le-gitimate interest of the government agency, individual, juristic persons or organization; unless itis otherwise provided by law, or necessary for public welfare, or necessary for the protection of the lives, bodies or health of the people, or with consent of the party involved.
2. Other circumstances under which cyber security information should be kept confidential, should be restricted on or prohibited from disclosure thereof.
Cyber security information containing contents that may not be shared under the preceding paragraph may be shared to the extent of other portions only.
|
|
|
Article 5
|
In conducting cyber security information sharing, the government agency or the specific non-government agency (hereinafter referred to as “each agency”) shall analyze and integrate first and shall plan the ap-propriate security maintenance measure to prevent breach of the content of the information, or information that may not be shared under laws; or the unauthorized access thereto or the tampering thereof.
|
|
|
Article 6
|
For the cyber security information received, each agency shall identify its reliability and timeliness, shall timely conduct an analysis of threat and vulnerability and make the judgment of potential risk, and shall take corresponding prevention or contingency measure.
The competent authority or the central competent authority in charge of the relevant sector may notify agencies receiving information to report back on the measures referred to in the preceding paragraph concerning the designated information.
|
|
|
Article 7
|
Each agency may conduct the correlation analysis and integration with their internal information based on the source, date of receipt, available periods, and kinds of the information, the extent of threat index, and other proper items.
Each agency may conduct the cyber security sharing of the new threat that is found after the analysis and integration.
|
|
|
Article 8
|
For the cyber security information received, each agency shall take appropriate security measures to pre-vent the breach of the content of cyber security information, or information that may not be shared under laws; or the unauthorized access thereto or the tampering thereof.
|
|
|
Article 9
|
In conducting cyber security information sharing, each agency shall follow the procedure as designated by the competent authority or the central competent authority in charge of the relevant sector, respective-ly.
When conducting cyber security information sharing in the manner under the preceding paragraph is pre-vented for any reason, each agency may conduct it in any of the following manners with the consent of the competent authority or the central competent authority in charge of the relevant sector, respectively:
1. Written documents.
2. Fax.
3. Email.
4. Information and communication system.
5. Other appropriate manner.
|
|
|
Article 10
|
Individual, juristic person or organization, to whom the Act is not applicable, may share cyber security information, with the consent of the competent authority or the central competent authority in charge of the relevant sector.
In giving consent to individual, juristic person or organization for cyber security information sharing un-der the preceding paragraph, the competent authority or the central competent authority in charge of the relevant sector shall agree with them in writing on the provisions of compliance with the requirements under Article 4 to the preceding article.
|
Info
|
|
Article 11
|
When information and communication systems, services, or products are suspected of posing a threat to national cyber security, they shall be reviewed in accordance with the Regulations for the Review of Products Harmful To National Cyber Security.
|
|
|
Article 12
|
The competent authority may delegate the cyber security information sharing, commendation, and other related tasks set out in these Regulations to the Administration for Cyber Security of the Ministry of Dig-ital Affairs.
|
|
|
Article 13
|
These Regulations shall come into effect on the date of promulgation.
|
|