|
Article 7
|
When government agencies outsource the establishment, maintenance, operation, or provision of information and communication services for information and communication systems in accordance with Article 10 of the Act (collectively referred to as “entrusted business”), they shall pay attention to the fol-lowing matters when selecting and supervising contractors:<br/>1. The contractor shall be equipped with sufficient cyber security personnel who are appropriately qualified, hold cyber security professional licenses, or possess equivalent professional experience in related business areas.<br/>2. Whether the contractor is permitted to sub-delegate the entrusted business, the permissible scope and parties for sub-delegation, and the cyber security and maintenance measures that the sub-delegated contractor must implement.<br/>3. Personnel executing entrusted business that involves classified national security information must undergo competency audit and are subject to exit restrictions in compliance with the Classified Na-tional Security Information Protection Act.<br/>4. For the entrusted business containing customized information and communication system development, contractor must provide security testing certification. When the information and communication system is classified as a core information and communication system of the contracting agency or the contract value exceeds NT$10 million, the agency shall either perform its own security test-ing or engage a third party to conduct it. When it involves the use of systems or resources devel-oped by non-contractors, the non-self-developed content and its source shall be marked and proof of authorization shall be provided.<br/>5. When a contractor executes entrusted business and violates information and communication security laws or regulations, or becomes aware of any information and communication security incidents, the contractor shall immediately notify the contracting agency and implement appropriate remedial measures.<br/>6. Upon termination or dissolution of the entrustment relationship, the contractor must confirm the re-turn, transfer, deletion, or destruction of all data held in the course of contract performance.<br/>7. Other cyber security and maintenance measures to be implemented by the contractor.<br/>8. The contracting agency shall periodically, or upon learning of any cyber security incidents that may impact the entrusted business, verify the execution of such operations through audits or other suita-ble methods.<br/>When conducting competency audit for the Subparagraph 3 mentioned above, the contracting agency should consider the classification level and content of classified national security information involved in the entrusted business. Within the necessary scope, it shall verify whether personnel of the contractor re-sponsible for executing such business and other personnel who may have access to these classified na-tional security information have any of the following circumstances:<br/>1. Individuals who have been convicted of computer misuse offenses, or who are currently wanted in unresolved cases related to such offenses.<br/>2. Those who have been convicted of leaking secrets, or after the end of the period of national mobili-zation in suppression of communist rebellion, persons who previously committed internal rebellion or external aggression, and who have been finally convicted or remain wanted with unresolved cas-es.<br/>3. Previously employed as a civil servant and received administrative sanctions at the level of demerit or higher for breaching security and confidentiality requirements.<br/>4. Has been induced or forced by a foreign government, authorities from mainland China, Hong Kong, or Macau to carry out actions that harm national security or the country’s significant inter-ests.<br/>5. Other specific matters related to the protection of classified national security information.<br/>Circumstances as described in Subparagraph 3 of Paragraph 1, must be documented in the tender an-nouncement, tender documents, and contract. Prior to conducting competency audit, written consent from all relevant parties is also required.
|