Chapter II Government Agency Cyber Security Management |
| Article 11 | Government agencies shall not download, install, or use products are harmful to national cyber security. The same shall apply to any broadcasting equipment or Internet access services provided to the public at facilities operated directly or outsourced by the government agency, when necessary to maintain cyber security. However, if such use is required for official duties with no alternative solutions, the agency may, with approval from its Chief Information Security Officer and the Chief Information Security Officer of the agency responsible for receiving implementation reports under Article 14, submit a written request to the competent authority for approval to use the product on a case-by-case basis, with proper record-keeping.
Products are harmful to national cyber security shall not be downloaded, installed, or used on information and communication equipment distributed by government agencies for official use, and must comply with relevant laws and regulations. However, if such use is required for official duties with no alternative solutions, the provisions of the preceding paragraph shall apply mutatis mutandis.
The review procedures, risk assessments, information sharing, usage restrictions, and other related matters regarding products are harmful to national cyber security, as provided in the preceding two paragraphs, shall be formulated by the competent authority in consultation with relevant agencies and submitted to the Executive Yuan for approval. |
Info |
| Article 12 | Government agencies shall establish the position of Chief Information Security Officer, to be concurrently held by the deputy head or other appropriate personnel designated by the head of the agency. The Chief Information Security Officer shall be responsible for promoting and overseeing the agency’s cyber security-related affairs. |
|
| Article 13 | Government agencies shall comply with the requirements corresponding to their assigned cyber security responsibility levels and, considering the type, volume, and nature of the information they possess or process, as well as the scale and nature of their information and communication systems, shall formulate, revise, and implement cyber security maintenance plans. |
|
| Article 14 | Government agencies shall annually submit reports on the implementation of their cyber security maintenance plans to their superior or supervisory authorities. Agencies without superior or supervisory authorities shall handle the submission of their cyber security maintenance plan reports in accordance with the following provisions:
1.The Office of the President, the National Security Council, and the Five Yuans shall submit to the competent authority.
2.Municipal governments, municipal councils, county (city) governments, and county (city) councils shall submit to the competent authority.
3.District offices of indigenous districts in special municipalities and their representative councils shall submit to the municipal government; township (town, city) offices and their representative councils shall submit to the county government. |
|
| Article 15 | Government agencies shall audit the implementation of cyber security maintenance plans by their subordinate and supervised agencies, township (town, city) offices under their jurisdiction, district offices of indigenous districts in special municipalities, and representative councils of townships (towns, cities) as well as indigenous districts in special municipalities. |
|
| Article 16 | Where deficiencies or areas for improvement are identified in the implementation of the cyber security maintenance plan of an audited agency, the audited agency shall submit a corrective action report to the auditing agency, which shall, in turn, submit the said report together with the audit results to the competent authority in the manner prescribed.
Where deemed necessary, the auditing agency or the competent authority may require the audited agency to provide explanations or make adjustments.
The matters relating to the essential elements of the cyber security maintenance plan provided in the preceding three Articles and in Paragraph 1, the submission of implementation status reports, the frequency, contents, and methods of audits, the delivery of results, the submission of corrective action reports, and other related matters shall be prescribed by the competent authority. |
Info |
| Article 17 | Government agencies shall establish a reporting and response mechanism to address cyber security incidents.
When government agencies become aware of a cyber security incident, they shall report such an incident to both the agency designated under Article 14 to receive its implementation status report and the competent authority.
The government agency shall submit, to the notified agency provided in the preceding paragraph, an investigation, handling, and corrective action report regarding the cyber security incident.
The rules regarding the necessary items of the reporting and response mechanisms provided in the preceding three paragraphs, the reporting content, the submission of reports, the conduct of drills, and other related matters shall be prescribed by the competent authority.
Where the agency notified under Paragraph 2 becomes aware of a major cyber security incident, it may provide relevant assistance to the government agency concerned, and, when appropriate, may announce the necessary information and corresponding countermeasures relating to the incident. |
Info |
| Article 18 | Government agencies shall, in compliance with the requirements of their assigned cyber security responsibility levels, appoint dedicated cyber security personnel to handle cyber security affairs and incident responses. Personnel with proven performance in their cyber security duties shall be commended.
The competent authority shall properly plan and promote the professional training of dedicated cyber security personnel to enhance their expertise in cyber security. In the event of a major cyber security incident, the competent authority may mobilize cyber security personnel from agencies at all levels to provide support.
The rules governing the commendation, professional training, mobilization, performance evaluation, and other related matters of the personnel provided in the preceding two paragraphs shall be prescribed by the competent authority. |
|
| Article 19 | Government agencies may, when necessary, conduct suitability reviews of their dedicated cyber security personnel.
The competent authority may, after the announcement of the results of the cyber security personnel recruitment examination, conduct suitability reviews of the successful candidates.
Personnel who refuse to undergo such reviews, or who fail to pass the reviews conducted pursuant to the preceding two paragraphs as determined by the employing agency, shall not engage in cyber security affairs involving national secrets, military secrets, or national defense secrets.
The positions of such personnel may be adjusted by the employing agency in accordance with law, based on internal management considerations and operational needs.
The records of reviews conducted under Paragraphs 1 and 2 shall be handled in confidence by the employing agency in accordance with applicable regulations and shall be properly preserved, and shall not be used for any other purposes. Violations shall be subject to disciplinary action depending on the severity of the circumstances.
The rules governing the authorities responsible for conducting reviews, the personnel subject to review, the review procedures, contents, and other related matters shall be prescribed by the competent authority in consultation with the relevant authorities. |
|