Chapter II. The notification, response and exercise of cyber security incident of government agency |
| Article 6 | Upon awareness of the cyber security incident, the government agency shall conduct the notification to the system platform designated by the competent authority within one hour .
In case of the change to the level of the cyber security incident under the preceding paragraph, the government agency shall continue the notification as provided for in the preceding paragraph.
When the notification conducted in the manner as specified in Paragraph 1 is prevented for any cause, the government agency shall conduct the notification in another appropriate manner within the timeframes prescribed under the same paragraph, and note the cause of unable notification from being conducted in the required manner.
After the eliminating of the cause of unable notification from being conducted in the manner as required under Paragraph 1, the government agency shall supplement the notification in the same manner. |
|
| Article 7 | Under Paragraph 2, Article 17 of the Act, after the completion of the notification of the cyber security incident to the notified agency, the review of the level of such cyber security incident shall be completed within the following timeframes, and its level may be changed according to the review results:
1. Within eight hours after receipt of the notification of a level-1 or level-2 cyber security incident.
2. Within two hours after receipt of the notification of a major cyber security incident.
After completion of the required review of the level of the cyber security incident to the notified agency, the agencies under the preceding paragraph shall notify the competent authority of the review results within one hour, and shall provide information relating to the basis of the reviews.
Upon receipt of the notifications under the preceding paragraph, the competent authority shall further review the level of the cyber security incident according to the relevant information, and may change its level according to the review result. However, where it is deemed necessary, or where the agencies under the preceding paragraph fail to notify of the required review results, the competent authority may directly review such cyber security incident and may change its level. |
Info |
| Article 8 | Upon awareness of the cyber security incident, the government agency shall complete the damage con-trol or recovery operation within the following timeframes, and shall conduct the notification to the noti-fied agency in the manner as designated by the competent authority according to Paragraph 2 of Article 17 of the Act:
1. Within seventy-two hours of the awareness of a level-1 or level-2 cyber security incident.
2. Within thirty-six hours of the awareness of a major cyber security incident.
After completion of the damage control or recovery operation under the preceding paragraph, the government agency shall continue the investigation and management of the cyber security incident, and shall submit the investigation, management and improvement report of cyber security incident to the aforesaid notified agency within one month in the manner designated by the competent authority.
The timeframe of submission of the investigation, management, and improvement report under the pre-ceding paragraph may be extended with the consent of the notified agency mentioned in Paragraph 1.
The investigation, management, and improvement report mentioned in Paragraph 2 shall include the items specified in Article 12 of the Enforcement Rules of the Act.
Where the notified agency mentioned in Paragraph 1 deems necessary or deems there is any non-compliance with the regulatory requirement, improper matters or other matters to be improved in respect of the damage control or recovery operation under same paragraph and the report submitted under Paragraph 2, they may require the government agency to give explanations and make adjustments. |
Info |
| Article 9 | Under paragraph 2 of Article 17 of the Act, the notified agency shall handle the notification and response operation for cyber security incidents to the subordinate or supervisory government agencies, their gov-erned villages (townships/cities), mountain indigenous district offices of special municipalities and such governed villages (townships/cities) and the representative councils of mountain indigenous district of-fices of special municipalities ; it shall provide necessary support or assistance, where circumstances so require.
The competent authority shall provide necessary support or assistance in respect of the response opera-tion of the cyber security incident implemented by the government agency, where circumstances so re-quire.
After the government agency becomes aware of a major cyber security incident, its Cyber Security Of-ficer shall convene the meetings to discuss relevant matters, and may request relevant agencies to pro-vide assistances. |
Info |
| Article 10 | The Office of the President, the National Security Council, the Five Yuans, and their directly affiliated agencies must plan and carry out cyber security exercises for itself or for its subordinate or supervisory government agencies. Within one month after completion, they must submit a report on execution and outcomes to the competent authority. The exercises must cover at least the following items:
1. Social engineering exercise shall be conducted once every six months.
2. The notification and response exercise of the cyber security incident shall be conducted once a year.
The Office of the President, the National Security Council, and the Five Yuans and special municipalities and county/city councils shall plan and conduct the cyber security exercise operation required under the preceding paragraph.
Special municipality and county (city) governments shall, in line with paragraph 1, plan and carry out cyber security exercises for itself or for its subordinate or supervisory government agencies, and the fol-lowing organizations:
1. Their governed villages (townships/cities), mountain indigenous district offices of special munici-palities and the subordinate or supervisory government agencies.
2. The township (town or city) representative councils mentioned above, and the representative coun-cils of mountain indigenous districts of special municipalities. |
|