Title: |
Regulations on Classification of Cyber Security Responsibility Levels(2019.08.26) |
Date: |
|
Article 4
|
The cyber security responsibility levels of each agency under any of the following circumstances are Level-A: 1. Its business involves classified national security information. 2. Its business involves matters of foreign affairs, national defense, or homeland security. 3. Its business involves the maintenance operation of cyber security systems commonly used for nationwide people services or cross agencies. 4. Its business involves the possession of personal information of nationwide people or public officials. 5. It is a government agency, and its business involves matters of nationwide energy, water resources, telecommunications, transportation, banking & finance, or emergent rescues. 6. It is a critical infrastructure provider, and the central government level authority in charge of the subject industry, based on the consideration of the number of users, market share, the area and the substitutability of its business or maintenance operation of critical infrastructures and services, considers that the failures of or impact on its cyber security system might cause disasters or extremely serious impact on social public interests, people’s morale, or the security of people’s lives, body or property. 7. It is a government medical center.
|
Article 5
|
The cyber security responsibility levels of each agency under any of the following circumstances are Level-B. 1. Its business involves the security maintenance and management of sensitively scientific technology information that is donated, researched, or developed by the government agency. 2. Its business involves the maintenance operation of cyber systems that are commonly used for regional or local people services or cross agencies. 3. Its business involves the possession of the archives of personal information of regional or local people. 4. Its business involves the maintenance operation of information and communication systems that are commonly used for the central secondary authority and its subordinate government agencies (institutions). 5. It is a critical infrastructure provider, and the central government level authority in charge of the subject industry, based on consideration of the number of users, market share, the area and the substitutability of its business, or the maintenance operation of critical infrastructure and services, considers that the failure of or impacts on its cyber security systems might cause serious impact on social public interest, people’s morale, or the security of people’s lives, body or properties. 6. It is a public regional hospital or local hospital.
|
Article 8
|
The cyber security responsibility levels of each agency under any of the following circumstances are Level-E: 1. It neither has cyber systems, nor provides the cyber service. 2. It is a government agency, and all its information and communication business is conducted concurrently or managed by its superior agency, supervisory agency or the agency designated by the agencies mentioned above. 3. It is a specific non-government agency, and all of its information and communication business is conducted concurrently or managed by its central authority in charge of relevant industry, the subordinate government agency of the central authority in charge of relevant industry, the specific non-government agency under their charge by the central authority in charge of relevant industry, or the funding government agency.
|
Article 11
|
Each agency shall conduct the matters specified in Schedule 1 to Schedule 8, depending on its cyber security responsibility levels. For the information and communication system that is developed by each agency itself or outsourced for the development, each agency shall complete the classification of information and communication system according to the principles of classification of defense requirements of information and communication system specified in Schedule 9, and shall implement control measures according to the defense standards of information and communication system specified in Schedule 10; if the central authority in charge of relevant industry of a specific non-government agency considers it is necessary to otherwise provide for defense standards of specific types of the information and communication systems, it may propose by itself the defense standards and report such standards to the competent authority for approval, and shall follow the requirements of such standards, if approved. In conducting the matters specified in Schedule 1 to Schedule 8 or implementing control measures specified in Schedule 10, if each agency has apparent difficulties in conducting or implementing specific matters or control measures due to such factors as technical limitation, design, structure or nature of individual cyber systems, it may, with consent of each agency submitting its levels under Paragraph 2 to Paragraph 4 of Article 3 or each agency approving its levels under Paragraph 5 of the same article, and upon reporting to the competent authority for recordation, be exempted from the implementation of such matters or control measures. The government agency whose cyber security responsibility levels are Level-A or Level-B shall report the implementation status of matters under Paragraph 1 and Paragraph 2 in the manner designated by the competent authority. The central government level authority in charge of the subject industry may require the specific non-government agency regulated by it to report the implementation status of matters under Paragraph 1 and Paragraph 2 in the manner designated by it.
|
Article 12
|
The implementation date of the Regulations shall be stipulated by the competent authority. The amendments to the Regulations shall take effect on the date of promulgation.
|