|
Article 1
|
These Regulations are stipulated in accordance with Paragraph 4 of Article 10, Paragraph 4 of Article 17 and Paragraph 4 of Article 24 of the Cyber Security Management Act (hereinafter referred to as “the Act”).
|
Info
|
|
Article 2
|
Cyber security incident is classified into four levels.
The cyber security incident occurred to the government agency or the specific non-government agency (hereinafter referred to as “each agency”) under any of the following circumstances is the level-1 cyber security incident:
1. Minor breach of non-core business information.
2. Minor alteration of non-core business information or non-core information and communication sys-tem.
3. Impact on or interruption of non-core information and communication system operation which may be recovered within tolerable interruption time, resulting in impact on daily operation of each agen-cy.
The cyber security incident occurred to each agency under any of the following circumstances is the lev-el-2 cyber security incident:
1. Serious breach of non-core business information or minor breach of core business information not involving the maintenance and operation of critical infrastructures.
2. Serious alteration of non-core business information or non-core information and communication system, or minor alteration of core business information or core information and communication system not involving the maintenance and operation of critical infrastructures.
3. Impact on or interruption of non-core information and communication system operation, which cannot be recovered within tolerable interruption time, or impact on or interruption of core information and communication system operation not involving the maintenance and operation of criti-cal infrastructures, which may be recovered within tolerable interruption time.
The cyber security incident occurred to each agency under any of the following circumstances is the lev-el-3 cyber security incident:
1. Serious breach of core business information not involving the maintenance and operation of critical infrastructures, or minor breach of confidential information of general official affairs or core business information involving the maintenance and operation of critical infrastructures.
2. Serious alteration of core business information or core information and communication system not involving the maintenance and operation of critical infrastructures, or minor alteration of confiden-tial information of general official affairs, or core business information or core information and communication system involving the maintenance and operation of critical infrastructures.
3. Impact on or interruption of the operation of core information and communication system not in-volving the maintenance and operation of critical infrastructures, which cannot be recovered within the tolerable interruption time, or impact on or interruption of the operation of core information and communication system involving the maintenance and operation of critical infrastructures, which may be recovered within tolerable interruption time.
The cyber security incident occurred to each agency under any of the following circumstances is the lev-el-4 cyber security incident:
1. Serious breach of confidential information of general official affairs, or core business information involving the maintenance and operation of critical infrastructures, or the breach of classified na-tional security information.
2. Serious alteration of confidential information of general official affairs, or core business information or core information and communication system involving the maintenance and operation of critical infrastructures, or the alteration of classified national security information.
3. Impact on or interruption of core information and communication system involving the mainte-nance and operation of critical infrastructures, which cannot be recovered within tolerable interrup-tion time.
|
|
|
Article 4
|
Each agency shall stipulate the operational regulations on the notification of the cyber security incident, the content of which shall include the following matters:
1. The process and the accountabilities of judgment and determination of levels of the incident.
2. Assessment of the impact scope and damage degrees of the incident and the response abilities of the agencies.
3. The process of internal notification on the cyber security incident.
4. The method of notification to other agencies impacted by the cyber security incident.
5. The exercises under the preceding four subparagraphs.
6. The contact window and methods of notification of the cyber security incident.
7. Other matters relating to the notification of the cyber security incident.
|
|
|
Article 5
|
Each agency shall stipulate the operational regulations on the response of the cyber security incident, the content of which shall include the following matters:
1. The organization of the response team.
2. The exercise prior to the occurrence of the incident.
3. The mechanism of damage control on the occurrence of the incident.
4. The recovery, identification, investigation, and improvement mechanisms after the occurrence of the incident.
5. The preservations of records relating to the incident.
6. Other matters relating to the response of the cyber security incident.
|
|
|
Article 6
|
Upon awareness of the cyber security incident, the government agency shall conduct the notification to the system platform designated by the competent authority within one hour .
In case of the change to the level of the cyber security incident under the preceding paragraph, the government agency shall continue the notification as provided for in the preceding paragraph.
When the notification conducted in the manner as specified in Paragraph 1 is prevented for any cause, the government agency shall conduct the notification in another appropriate manner within the timeframes prescribed under the same paragraph, and note the cause of unable notification from being conducted in the required manner.
After the eliminating of the cause of unable notification from being conducted in the manner as required under Paragraph 1, the government agency shall supplement the notification in the same manner.
|
|
|
Article 7
|
Under Paragraph 2, Article 17 of the Act, after the completion of the notification of the cyber security incident to the notified agency, the review of the level of such cyber security incident shall be completed within the following timeframes, and its level may be changed according to the review results:
1. Within eight hours after receipt of the notification of a level-1 or level-2 cyber security incident.
2. Within two hours after receipt of the notification of a major cyber security incident.
After completion of the required review of the level of the cyber security incident to the notified agency, the agencies under the preceding paragraph shall notify the competent authority of the review results within one hour, and shall provide information relating to the basis of the reviews.
Upon receipt of the notifications under the preceding paragraph, the competent authority shall further review the level of the cyber security incident according to the relevant information, and may change its level according to the review result. However, where it is deemed necessary, or where the agencies under the preceding paragraph fail to notify of the required review results, the competent authority may directly review such cyber security incident and may change its level.
|
Info
|
|
Article 8
|
Upon awareness of the cyber security incident, the government agency shall complete the damage con-trol or recovery operation within the following timeframes, and shall conduct the notification to the noti-fied agency in the manner as designated by the competent authority according to Paragraph 2 of Article 17 of the Act:
1. Within seventy-two hours of the awareness of a level-1 or level-2 cyber security incident.
2. Within thirty-six hours of the awareness of a major cyber security incident.
After completion of the damage control or recovery operation under the preceding paragraph, the government agency shall continue the investigation and management of the cyber security incident, and shall submit the investigation, management and improvement report of cyber security incident to the aforesaid notified agency within one month in the manner designated by the competent authority.
The timeframe of submission of the investigation, management, and improvement report under the pre-ceding paragraph may be extended with the consent of the notified agency mentioned in Paragraph 1.
The investigation, management, and improvement report mentioned in Paragraph 2 shall include the items specified in Article 12 of the Enforcement Rules of the Act.
Where the notified agency mentioned in Paragraph 1 deems necessary or deems there is any non-compliance with the regulatory requirement, improper matters or other matters to be improved in respect of the damage control or recovery operation under same paragraph and the report submitted under Paragraph 2, they may require the government agency to give explanations and make adjustments.
|
Info
|
|
Article 9
|
Under paragraph 2 of Article 17 of the Act, the notified agency shall handle the notification and response operation for cyber security incidents to the subordinate or supervisory government agencies, their gov-erned villages (townships/cities), mountain indigenous district offices of special municipalities and such governed villages (townships/cities) and the representative councils of mountain indigenous district of-fices of special municipalities ; it shall provide necessary support or assistance, where circumstances so require.
The competent authority shall provide necessary support or assistance in respect of the response opera-tion of the cyber security incident implemented by the government agency, where circumstances so re-quire.
After the government agency becomes aware of a major cyber security incident, its Cyber Security Of-ficer shall convene the meetings to discuss relevant matters, and may request relevant agencies to pro-vide assistances.
|
Info
|
|
Article 10
|
The Office of the President, the National Security Council, the Five Yuans, and their directly affiliated agencies must plan and carry out cyber security exercises for itself or for its subordinate or supervisory government agencies. Within one month after completion, they must submit a report on execution and outcomes to the competent authority. The exercises must cover at least the following items:
1. Social engineering exercise shall be conducted once every six months.
2. The notification and response exercise of the cyber security incident shall be conducted once a year.
The Office of the President, the National Security Council, and the Five Yuans and special municipalities and county/city councils shall plan and conduct the cyber security exercise operation required under the preceding paragraph.
Special municipality and county (city) governments shall, in line with paragraph 1, plan and carry out cyber security exercises for itself or for its subordinate or supervisory government agencies, and the fol-lowing organizations:
1. Their governed villages (townships/cities), mountain indigenous district offices of special munici-palities and the subordinate or supervisory government agencies.
2. The township (town or city) representative councils mentioned above, and the representative coun-cils of mountain indigenous districts of special municipalities.
|
|
|
Article 11
|
Upon awareness of the cyber security incident, the specific non-government agency shall conduct the notification of the cyber security incident within one hour in the manner as designated by the central competent authority in charge of the relevant sector.
In case of the change to the level of the cyber security incident under the preceding paragraph, the spe-cific non-government agency shall continue the notification as provided for in the preceding paragraph.
When the notification conducted in the manner as specified in Paragraph 1 is prevented for any cause, the specific non-government agency shall conduct the notification in another appropriate manner within the timeframes prescribed under the same paragraph, and note the cause of unable notification from be-ing conducted in the required manner.
After the eliminating of the cause for unable notification from being conducted in the manner as required under Paragraph 1, the specific non-government agency shall supplement the notification in the same manner.
|
|
|
Article 12
|
After the specific non-government agency has completed the notifications of cyber security incident, the central competent authority in charge of the relevant sector shall complete verification of the level of such cyber security incident within the following timeframes, and may change its level according to the review results:
1. Within eight hours after receipt of the notification of a level-1 or level-2 cyber security incident.
2. Within two hours after receipt of the notification of a major security incident.
Once the central competent authority in charge of the relevant sector completes the review of a cyber security incident as required above, it must, within one hour, send the review findings, the grounds for the decision, and any other necessary information to the competent authority using the method specified by that competent authority.
Upon receipt of the documentation under the preceding paragraph, the competent authority may review the level of the cyber security incident, and may change its level. However, where it is deemed neces-sary, or where the agencies under the preceding paragraph fail to notify of the required review results, the competent authority may directly review such cyber security incident and may change its level.
|
|
|
Article 13
|
Upon awareness of the cyber security incident, the specific non-government agency shall complete dam-age control or recovery operation within the following timeframes, and shall conduct the notification in the manner as designated by the central competent authority in charge of the relevant sector:
1. Within seventy-two hours of the awareness of a level-1 or level-2 cyber security incident.
2. Within thirty-six hours of the awareness of a major cyber security incident.
After completion of the damage control or recovery operation under the preceding paragraph, the specific non-government agency shall continue the investigation and management of the cyber security incident, and shall submit the investigation, management, and improvement report within one month in the man-ner as designated by the central competent authority in charge of the relevant sector.
The timeframe of submission of the investigation, management, and improvement report under the pre-ceding paragraph may be extended with the consent of the central competent authority in charge of the relevant sector.
The investigation, management, and improvement report mentioned in Paragraph 2 shall include the items specified in Article 12 of the Enforcement Rules of the Act.
Where the central competent authority in charge of the relevant sector deems necessary or deems there is any non-compliance with regulatory requirement, improper matter or other matter to be improved in re-spect of the damage control or recovery operation under Paragraph 1 and the report submitted under Paragraph 2, they may require the specific non-government agency to give the explanation and make ad-justment.
Upon review of the investigation, management, and improvement report on a major cyber security inci-dent submitted by the specific non-government agency, the central competent authority in charge of the relevant sector shall submit such report to the competent authority; where the competent authority deems necessary, or deems there is any non-compliance with regulatory requirement, improper matter, or other matter to be improved, it may require the specific non-government agency to give explanation and make adjustment.
|
Info
|
|
Article 14
|
The central competent authority in charge of the relevant sector shall provide necessary support or assis-tance in respect to the notification and response of cyber security incident implemented by the specific non-government agency under its authority, where circumstances so require.
The competent authority shall provide necessary support or assistance in respect of the response opera-tion of the cyber security incident implemented by the specific non-government agency, where circum-stances so require.
After the specific non-government agency becomes aware of a major cyber security incident, its Cyber Security Officer shall convene the meetings to discuss relevant matters, and may request relevant agen-cies to provide assistances.
|
|
|
Article 15
|
For cyber security incident of each agency, the competent authority may convene meetings based on its impact scope and damage degrees and invite relevant agencies to discuss the damage control, recovery, and other relevant matters of such incident.
|
|
|
Article 16
|
Under Paragraph 2 of Article 17 of the Act, the government agency shall, in coordination with the noti-fied agency, plan and conduct the cyber security exercise, the content of which may include the follow-ing matters:
1. Social engineering exercise.
2. The notification and response exercise of the cyber security incident.
3. Cyber offense and defense exercise.
4. Scenario exercise.
5. Other necessary exercise.
Under the preceding paragraph, the specific non-government agency shall, in coordination with the cen-tral competent authority in charge of the relevant sector, plan and conduct the cyber security exercise. However, it has imminent threats of infringement to the rights or legitimate interests of the specific non-government agency, such exercise may be conducted only with written consent of such agency.
Under Paragraph 4 of Article 10 of the Act, when the cyber security exercise planned and conducted by the competent authority has imminent threats of infringement to the rights or legitimate interests of the specific non-government agency, such exercise may be conducted only with written consent of such agency.
|
Info
|
|
Article 17
|
For all cyber security drills planned and conducted in accordance with the preceding article, any person-nel participating in cyber security exercise who learn confidential and sensitive information about government agencies or specific non-government agencies during the exercise must keep that information confidential.
|
Info
|
|
Article 18
|
If, before the enforcement of these Regulations, the government agency has, independently or jointly with other agencies, formulated the notification and response mechanism for itself or for its subordinate or supervisory government agencies or for its regulated specific non-government agencies, and have en-forced such mechanism for more than one year, and may be approved by the competent authority, they and their subordinate or supervisory government agencies or their regulated specific non-government agencies may continue to conduct the notification and response of cyber security incident according to such mechanism.
In case of change to the notification and response mechanism under the preceding paragraph, such change shall be submitted to the competent authority for approval again.
|
|
|
Article 19
|
The competent authority may delegate the notification, response, exercise of cyber security incident, and other related tasks set out in these Regulations to the Administration for Cyber Security of the Ministry of Digital Affairs.
|
|
|
Article 20
|
These Regulations shall come into effect on the date of promulgation.
|
|