|
Article 20
|
(Control and management of release of a mobile app)
- Before releasing its mobile app, an organization shall examine to make sure the authorization required for the mobile app is adequate for the services to be provided. First release or changes to authorization should be approved by the information security and compliance departments and records should be kept to help a comprehensive evaluation to determine whether the notification obligations under the Personal Data Protection Act have been performed.
- An organization shall release its mobile app on a reliable app store or website and shall at the same time of the release provide information about what sensitive information may be accessed, resources of mobile device and declared authorization and use.
- For a mobile app to be used by clients, an organization shall, prior to the first release and on a yearly basis, appoint a qualified third-party testing laboratory certified by Taiwan Accreditation Foundation (TAF) to conduct and complete the information security testing with a satisfied test result. The test should be performed in consistent with the basic mobile app information security tests published by the implementing organization Mobile Application Security Alliance, appointed by the Industrial Development Bureau, Ministry of Economic Affairs. For a mobile app not to be used by clients, an organization shall refer to the above information security test standards during development and design of the app.
- When updates on the released app are necessary within one year after the laboratory test, the organization shall perform the test or appoint a third party to perform the test on important updates prior to every release. Important updates are changes to the functions relating to “placing orders”, “accessing account information”, “identity verification” and “changes relating to client’s important rights and interest”. The tests should be based on most current OWASP MOBILE TOP 10 and the relating test records should be kept, and completion of improvement shall be verified by the unit (or personnel) responsible for information security. In case of an urgent release (subject to approval of an appropriate level of authority), improvement shall still be completed within one month.
- The organization shall establish the review system based on the basic mobile app information security tests published by the implementing organization Mobile Application Security Alliance, appointed by the Industrial Development Bureau, Ministry of Economic Affairs, for the test reports delivered by the third-party laboratory to ensure the tests have been conducted in accordance with the requirements, and the review records should be kept. The review records shall be submitted to the unit (or personnel) responsible for information security for monitoring, and completion of improvement shall be verified by the unit (or personnel) responsible for information security.
|