|
Article 1
|
These Regulations are stipulated in accordance with Paragraph 3 of Article 18, Paragraph 6 of Article 19 and Paragraph 2 of Article 28 of the Cyber Security Management Act (hereinafter referred to as “the Act”).
|
Info
|
|
Article 2
|
In these regulations, cyber security personnel means dedicated cyber security personnel and any other personnel who actively perform cyber security businesses.
The aforementioned dedicated cyber security personnel refer to the personnel who should implement cyber security businesses in full-time.
|
Info
|
|
Article 3
|
The phrase ‘when necessary’ in Paragraph 1 of Article 19 of the Act refers to cases in which a dedicated cyber security personnel meets any of the following conditions:
1. The matters handled involve military or national defense secrets as defined by the Guideline for Categories, Scopes and Levels of Classified National Security Information, Military Secrets and Defense Secrets under the Classified National Security Information Protection Act.
2. Other matters will be reviewed according to the overall business functions of government agencies and the actual situations of their personnel.
Admitted personnel in Paragraph 2 of Article 19 of the Act refers to persons who passed the cyber security category examination and meet the condition listed in Subparagraph 1 of the preceding paragraph.
|
|
|
Article 4
|
The following are the items for competency audit carried out under Paragraph 1 or 2 of Article 19 of the Act:
1. Any of the circumstances specified in Paragraph 1 of Article 28 of the Public Functionaries Ap-pointment Act.
2. Persons who meet any of the conditions listed in Subparagraphs 1, 3, 8, 10 of Paragraph 1 of Article 3 of the Regulations of Special Checking the Civil Servant Related to National Security and Grand Interest.
3. Individuals who have been convicted of computer misuse offenses, or who are currently wanted in unresolved cases related to such offenses.
When any of the situations listed in subparagraph 1 of the preceding paragraph occurs, the audit is con-sidered failed.
When circumstances described in Subparagraph 2 or 3 of Paragraph 1 arise, the government agency must send the case to its Personnel Selection and Evaluation Committee to assess the seriousness and the na-ture of the intended position, then submit the committee’s recommendation to the agency head for ap-proval. Appointments made by the head must include a written explanation of the reasons. When an audit finds a potential threat to national security or significant interests, the audit is considered failed.
In the event that the government agency referred to above has not set up a Personnel Selection and Eval-uation Committee, the matter shall be handled through other appropriate meeting.
Current civil servants who consider that the decisions mentioned in Paragraphs 2 and 3 are unlawful or clearly improper and have harmed their rights or interests may pursue redress under the Civil Service Protection Act. Non-current civil servants may seek relief under the Administrative Appeal Act.
|
Info
|
|
Article 5
|
When a government agency or competent authority conducts a competency audit, it should include the required appendix, request the Ministry of Justice Investigation Bureau to carry out the investigation, and inform the individual involved.
After the Ministry of Justice Investigation Bureau provides the audit results, the government agency or competent authority shall provide written notice to the affected party within three days starting the day after receipt.
|
Info
|
|
Article 6
|
When a person disputes the factual findings of the audit referred to in the preceding article, they may submit their comments and defenses to the government agency or competent authority within 15 days of receiving the written notice. This submission may be made only once.
After a government agency or competent authority has received the comments and defenses, it shall for-mally request the Ministry of Justice Investigation Bureau to conduct a re-audit.
After the Ministry of Justice Investigation Bureau provides the re-audit results, the government agency or competent authority shall provide written notice to the affected party within three days starting the day after receipt.
|
Info
|
|
Article 7
|
When the same incumbent has been acting in the dedicated cyber security personnel position defined in Paragraph 1 of Article 19 of the Act for more than three months, a competency audit shall be carried out in accordance with the provisions of this chapter.
|
Info
|
|
Article 8
|
The competent authority shall plan and promote cyber security competency training for dedicated cyber security personnel (hereinafter referred to as “ cyber security competence training”) and implement the following actions:
1. Establishing and implementing a cyber security competence training system.
2. Development of training materials for cyber security competence.
3. Selection and teaching audit of cyber security competency training instruction.
4. Establishing and implementing a cyber security competency assessment and certification system.
5. Other matters concerning cyber security competency training.
The competent authority will separately announce how the items mentioned in Subparagraphs 1, 3, and 4 of the preceding paragraph are to be implemented.
|
|
|
Article 9
|
Examinees who pass the cyber security competence assessment will be issued a cyber security compe-tency training certificate by the competent authority.
When an examinee is confirmed, after verification, to have cheated or committed other violations, the competent authority must revoke their certificate.
|
|
|
Article 10
|
Government agencies must maintain a list of cyber security personnel, indicating each person’s areas of expertise and experience available for deployment. The list must be filed in the manner prescribed by the competent authority, and any changes to the list of cyber security personnel must be reported to competent authority for updating.
|
|
|
Article 11
|
Dispatching support should be activated under the following circumstances:
1. An agency experiencing a major cyber security incident (hereinafter referred to as “the affected agency”) shall submit a support request in the manner specified by the competent authority because of urgent response needs.
2. When the competent authority determines that dispatching support is necessary for a major cyber security incident.
|
|
|
Article 12
|
Dispatching support includes damage control during incidents and other aspects of responding to cyber security incidents.
|
|
|
Article 13
|
The competent authority may consider the following factors when deciding whether to dispatch support:
1. The size, type, region, and urgency of the response required for a cyber security incident.
2. The allocation of cyber security personnel and their availability for dispatching across the affected agency itself, its affiliated and supervised entities, subordinate units, superior government agencies, and the supervising or central competent authority in charge of the relevant sector.
3. The allocation of cyber security personnel and their availability for dispatching of agency where dispatched cyber security personnel belongs (hereinafter referred to as “the supporting agency”).
4. Other relevant factors.
Where necessary for making the aforementioned decision, the competent authority may require the af-fected agency to provide explanations, cooperate, or submit relevant documents and supporting information.
|
|
|
Article 14
|
When the competent authority dispatches support, it should first consult the affected agency and the sup-porting agency.
Supporting agencies must follow and carry out orders from the competent authority.
|
|
|
Article 15
|
When the competent authority dispatches support, it must provide written notice to both the supporting agency and the affected agency.
When notification cannot be given using the method described above for any reason, it may be sent by other appropriate means, and the required notification shall be provided afterwards in the prescribed manner.
The notice referred to in Paragraph 1 must include the following items:
1. The affected agency and the supporting agency.
2. Dispatching period and location.
3. Support needs and precautions.
4. Contact details for the competent authority, the affected agency, and the supporting agency.
5. List of support personnel.
6. Other precautions.
Each dispatching period shall not exceed seven days. Where the competent authority finds it necessary, it may grant one extension, but the extension may not exceed seven days.
|
|
|
Article 16
|
Personnel involved in dispatching support must cooperate with the competent authority to document emergency response actions, improvement recommendations, and other related matters.
|
|
|
Article 17
|
Personnel involved in dispatching support who, during the support period, learn confidential and sensi-tive information of government or specific non-government agencies are required to keep that information confidential.
|
|
|
Article 18
|
Government agencies may set their own commendation and disciplinary action standards, in accordance with these Regulations, for cyber security matters handled by their personnel.
|
|
|
Article 19
|
The following situations qualify for commendation:
1. In accordance with the Act, regulations made under its authority, or internal agency rules, establish, amend, and implement cyber security maintenance plans and achieve outstanding performance.
2. Conduct audits of the implementation of cyber security maintenance plans under Article 15 of the Act, or carries out cyber security exercise operation, achieving outstanding performance.
3. Cooperate with the competent authority and the agencies designated under Article 15 of the Act in auditing the implementation of cyber security maintenance plans, conducting cyber security exer-cise, or in the performance evaluations and commendation procedures for government agency cyber security businesses, achieving outstanding performance after assessment.
4. Carry out cyber security businesses appropriately to prevent cyber security incidents and thereby protect this agency, other agencies, or the public from damage.
5. Proactively identify new types of cyber security vulnerabilities or intrusion threats and share cyber security information to prevent incidents or minimize their damage.
6. Actively monitor for anomalies in cyber security maintenance, promptly detect major cyber security incidents, and carry out reporting and response measures to prevent further spread of damage.
7. Propose concrete improvements or innovative solutions for cyber security businesses that are im-plemented.
8. Manage the training and development of cyber security personnel and make tangible contributions.
9. Carry out R&D, integration, and application of cyber security technologies, including industry-academia collaboration or industry development activities, and make tangible contributions.
10. Develop technical specifications for cyber security hardware and software, related services, and testing/verification mechanisms, etc., and make tangible contributions.
11. Develop cyber security policy, legal analysis, or international cooperation efforts, and make tangi-ble contributions.
12. Cooperated with the competent authority in dispatching support operation, achieving excellent per-formance or making tangible contributions.
13. Develop other cyber security businesses, and make tangible contributions.
|
Info
|
|
Article 20
|
The following situations qualify for disciplinary action:
1. Serious failure to handle the following matters in accordance with the Act, regulations made under its authority, or internal agency rules:
(1)Cyber Security Information Sharing Operation.
(2)Establish, amend, and carry out cyber security maintenance plans.
(3)Propose the implementation of cyber security maintenance plans.
(4)Develop the audit of the implementation of cyber security maintenance plans.
(5)Submit an improvement report based on the audit findings from reviewing how the competent authority and the agencies referred to in Article 15 implemented their cyber security maintenance plan.
(6)Establish the notification and response mechanism of the cyber security incident.
(7)The notification or response operation of the cyber security incident.
(8)Submit reports detailing the investigation, response, and corrective actions for cyber security incidents.
2. Cyber security businesses were judged poor by the competent, superior, or supervisory authority; counseling failed and the situation is serious.
3. Other violations of the Act, regulations issued under it, or an agency’s internal rules that are of a serious nature.
4. For poor supervision of business operations, resulting in personnel of their subordinates, affiliated units, or supervised agencies being in any situation of the preceding three subparagraphs.
|
Info
|
|
Article 21
|
When a government agency carries out routine performance reviews of its personnel, it should consider the commendation and disciplinary action described in the preceding two articles. Reviews should be based on the actual causes and course of events, the individual’s motives, purpose, methods, conduct, and the effects of their actions. For personnel who are hired, on contract, or otherwise employed by the agency, any commendation or disciplinary action should also be taken into account when deciding on contract renewal.
|
|
|
Article 22
|
Before disciplining personnel for any situation of each subparagraph of Article 20, a government agency must give the person an opportunity to respond; where necessary, it may seek advice from relevant ex-perts and scholars on the technical matters of cyber security.
|
Info
|
|
Article 23
|
The competent authority may delegate the competency audit, cyber security competency training, dis-patching support, commendation and disciplinary action procedures, and other related tasks set out in these Regulations to the Administration for Cyber Security of the Ministry of Digital Affairs.
|
|
|
Article 24
|
These Regulations shall come into effect on the date of promulgation.
|
|