|
Article 3
|
Classification and Assessment Cycle of Information and Communication Systems
- Information and communication systems are classified into three categories based on their importance:
- Testing may be conducted by sampling where the equipment comprise a multitude of systems and the economic rights of such equipment are owned by the company. The sampling rate shall be at least 10% of all the equipment in the system or a minimum of 100 units each time.
- Where a material information and communication security incident occurs in a single system and is confirmed to constitute a personal data breach or a hacker attack, an information and communication security assessment must be re-conducted and completed within three months
|