|
Article 6
|
In selecting and determining the audited agencies, the competent authority and government agencies (hereinafter collectively referred to as the “audit agency”) shall give comprehensive consideration to the significance and confidential sensitivities of its businesses, the size and nature of their information and communication systems, the frequencies and degrees of occurrence of cyber security incidents, the re-sults of cyber offense and defense exercise, the frequencies and results of audits conducted by the government agencies that receive reports on cyber security maintenance plans, the central competent authority in charge of the relevant sector or other business agencies over past years as defined in Article 14 of the Act, or other factors relating to cyber security.<br/>The annual plan prescribed in Paragraph 5 of Article 8 of the Act, and the audit plan prescribed in Article 4, shall include at least the following items in their content:<br/>1. Basis for audit.<br/>2. Purpose of audit.<br/>3. Scope of audit.<br/>4. Work schedule.<br/>5. Composition of the audit team.<br/>6. Duty of confidentiality.<br/>7. Principles for selecting audited agencies.<br/>8. Audit criteria.<br/>9. Audit methodology and scope.<br/>When the audit agency establishes the said annual plan or audit plan, the agency shall take into compre-hensive consideration the cyber security policy of our country, domestic and foreign cyber security trends, the contents and results of past audit programs, and any other factors relating to the proper alloca-tion of audit resources or audit effectiveness.
|