Chapter III. Specific Non-Government Agency Cyber Security Management |
| Article 20 | The central competent authority in charge of the relevant sector shall, after consulting relevant government agencies, private organizations, and experts and scholars, designate critical infrastructure providers, submit the designation to the competent authority for approval by the Executive Yuan, and notify the approved entities in writing.
Critical infrastructure providers shall comply with the requirements of their assigned cyber security responsibility levels, appoint dedicated cyber security personnel, and considering the types, volume, and nature of the information they possess or process, as well as the scale and nature of the information and communication systems, formulate, revise, and implement cyber security maintenance plans.
Critical infrastructure providers shall report on the implementation of their cyber security maintenance plans to the central competent authority in charge of the relevant sector.
The central competent authority in charge of the relevant sector shall, taking into comprehensive consideration the importance and sensitivity of the business of the critical infrastructure providers under its supervision, the scale and nature of the information and communication systems, the frequency and severity of cyber security incidents, and other cyber security-related factors, conduct periodic audits of the implementation of their cyber security maintenance plans.
Where deficiencies or areas for improvement are identified in the implementation of a critical infrastructure provider’s cyber security maintenance plan, the provider shall submit a corrective action report to the central competent authority in charge of the relevant sector.
The central competent authority in charge of the relevant sector shall, in the manner prescribed, submit the audit results and corrective action reports to the competent authority. |
Info |
| Article 21 | Specific non-government agencies other than critical infrastructure providers shall comply with the requirements of their assigned cyber security responsibility levels, appoint dedicated cyber security personnel, and, considering the types, volume, and nature of the information they possess or process, as well as the scale and nature of their information and communication systems, formulate, revise, and implement cyber security maintenance plans.
The central competent authority in charge of the relevant sector may require the specific non-government agencies under its supervision provided in the preceding paragraph to report on the implementation of their cyber security maintenance plans.
The central competent authority in charge of the relevant sector may audit the implementation of the cyber security maintenance plans of the specific non-government agencies under its supervision provided in Paragraph 1. Where deficiencies or areas for improvement are identified, the audited specific non-government agencies shall, within a designated period, submit corrective action report.
The central competent authority in charge of the relevant sector shall, in the manner prescribed, submit the audit results and corrective action reports to the competent authority. |
Info |
| Article 22 | The matters relating to the essential elements of the cyber security maintenance plans provided in the preceding two articles, the submission of implementation status reports, the frequency, contents, and methods of audits, the delivery of results, the submission of corrective action reports, and other matters to be followed shall be formulated by the central competent authority in charge of the relevant sector and submitted to the competent authority for approval. |
Info |
| Article 23 | Specific non-government agencies shall appoint a Chief Information Security Officer, who shall be a representative, manager, other person with authority, or an appropriate designated member of personnel, responsible for promoting and overseeing the specific non-government agency’s cyber security-related affairs. |
|
| Article 24 | Specific non-government agencies shall establish notification and response mechanisms for cyber security incidents.
When specific non-government agencies become aware of a cyber security incident, they shall notify the central competent authority in charge of the relevant sector of the incident.
The specific non-government agency shall submit an investigation, handling, and corrective action report regarding the cyber security incident to the central competent authority in charge of the relevant sector; in the case of a major cyber security incident, the report shall also be submitted to the competent authority.
The rules regarding the necessary items of the reporting and response mechanism, the reporting content, submission of reports, delivery, drill exercises, and other matters to be followed provided in the preceding three paragraphs shall be prescribed by the competent authority.
When the central competent authority in charge of the relevant sector or the competent authority becomes aware of a major cyber security incident, it shall provide necessary assistance; at an appropriate time, it may also announce the necessary information and response measures relating to the incident. |
Info |
| Article 25 | The central competent authority in charge of the relevant sector, for the purpose of investigating a major cyber security incident occurring at a specific non-government agency, may carry out the investigation in accordance with the following procedures:
1.Notify the parties concerned or related parties to provide statements in person.
2.Notify the parties concerned and related parties to submit forensic or investigative reports issued by independent third-party institutions.
3.Dispatch personnel, appoint or commission other agencies (organizations) to conduct necessary inspections at the premises of the parties concerned and related parties.
The related parties provided in the preceding paragraph are limited to contractors entrusted by the specific non-government agency to establish, maintain, operate or provide information and communication systems or information and communication services that are related to the major cyber security incident.
The parties concerned or related parties shall not evade, obstruct, or refuse any investigation conducted by the central competent authority in charge of the relevant sector pursuant to Paragraph 1.
Personnel carrying out the investigation shall present identification or proof of authority for performing their duties; if such identification or proof is not presented, investigated parties may refuse compliance.
Agencies (organizations) appointed or commissioned under Paragraph 1, Subparagraph 3 shall not disclose any confidential information of the specific non-government agency acquired while performing their assigned or commissioned duties. |
Info |
| Article 26 | Personnel of specific non-government agencies with proven performance in their cyber security duties shall be commended. |
|
| Article 27 | The central competent authority in charge of the relevant sector may restrict or prohibit a specific non-government agency from downloading, installing, or using products are harmful to national cyber security. The same shall apply to any broadcasting equipment or Internet access services provided to the public at facilities operated directly or outsourced by the specific non-government agency, when necessary to maintain cyber security. However, if such use is required for official duties with no alternative solutions, the specific non-government agency may, with approval from the Chief Information Security Officer of the agency, submit a written report to the central competent authority in charge of the relevant sector for approval to use the product on a case-by-case basis, with proper record-keeping.
The control measures restricting or prohibiting the use of products are harmful to national cyber security by specific non-government agencies, as provided in the preceding paragraph, shall be prescribed by the central competent authority in charge of the relevant sector and submitted to the competent authority for recordation. |
|