|
Article 4
|
(Account management)
- An organization shall establish the information and communication system account management mechanism, covering procedures for the application, creation, change, activation, deactivation, and deletion of an account.
- The information and communication system account approved by an organization for temporary or emergency use shall be deleted or banned after the operation ends.
- An organization shall ban an idle information and communication system account.
- An organization shall review the appropriateness of information and communication system accounts and authorizations.
- A type 1 organization shall define the idle time or available time of a core system and the status and conditions of use of said system, such as account type and restrictions on its functions, restrictions on operating hours, restrictions on the source IP address, number of connections, and accessible resources, etc.
- If a core system of a type 1 organization operates beyond the permitted idle time or available time prescribed, it is advisable for the system to log the user account out automatically.
- A type 1 organization shall use a core system in accordance with the circumstances and conditions prescribed by the organization.
- An organization offering online ordering services shall monitor and analyse on a daily basis records of log-in attempts, etc. with regard to a core system account and a non-client account, and shall report any irregular use discovered to the manger and follow up.
- No organization may use a client’s explicit data such as uniform business number, identity card number, mobile phone number, email address, credit card number, savings account number, etc. as sole identification, or it shall separately create a user code for identification purposes.
|