|
Article 1
|
These Regulations are prescribed pursuant to Paragraph 4, Article 10; Paragraph 4, Article 17; and Para-graph 4, Article 24 of the Cyber Security Management Act (hereinafter referred to as the “Act”).
|
Info
|
|
Article 2
|
Cyber security incidents are classified into four levels.
A cyber security incident occurring at a government agency or a specific non-government agency (here-inafter referred to as an “agency”) under any of the following circumstances is a level 1 cyber security incident:
1. Minor disclosure of non-core business information.
2. Minor tampering with non-core business information or a non-core information and communication system.
3. The operation of a non-core information and communication system is affected or interrupted, but can be restored within the tolerable interruption time, thereby affecting the agency’s routine opera-tions.
A cyber security incident occurring at an agency under any of the following circumstances is a level 2 cyber security incident:
1. Serious disclosure of non-core business information, or a minor disclosure of core business infor-mation not involving the maintenance or operation of critical infrastructure.
2. Serious tampering with non-core business information or a non-core information and communica-tion system, or minor tampering with core business information or a core information and commu-nication system not involving the maintenance or operation of critical infrastructure.
3. The operation of a non-core information and communication system is affected or interrupted and cannot be restored within the tolerable interruption time, or the operation of a core information and communication system not involving the maintenance or operation of critical infrastructure is af-fected or interrupted but can be restored within the tolerable interruption time.
A cyber security incident occurring at an agency under any of the following circumstances is a level 3 cyber security incident:
1. Serious disclosure of core business information not involving the maintenance or operation of criti-cal infrastructure, or a minor disclosure of confidential information relating to general official affairs or of core business information involving the maintenance or operation of critical infrastructure.
2. Serious tampering with core business information or a core information and communication system not involving the maintenance or operation of critical infrastructure, or minor tampering with con-fidential information relating to general official affairs, core business information, or a core infor-mation and communication system involving the maintenance or operation of critical infrastructure.
3. The operation of a core information and communication system not involving the maintenance or operation of critical infrastructure is affected or interrupted and cannot be restored within the toler-able interruption time, or the operation of a core information and communication system involving the maintenance or operation of critical infrastructure is affected or interrupted but can be restored within the tolerable interruption time.
A cyber security incident occurring at an agency under any of the following circumstances is a level 4 cyber security incident:
1. Serious disclosure of confidential information relating to general official affairs, or of core business information involving the maintenance or operation of critical infrastructure, or a disclosure of clas-sified national security information.
2. Serious tampering with confidential information relating to general official affairs, core business information, or a core information and communication system involving the maintenance or opera-tion of critical infrastructure, or tampering with classified national security information.
3. The operation of a core information and communication system involving the maintenance or oper-ation of critical infrastructure is affected or interrupted and cannot be restored within the tolerable interruption time.
|
|
|
Article 4
|
Each agency shall stipulate operational guidelines for the reporting of cyber security incidents, which shall include the following matters:
1. The process and responsibility for the determination of incident levels.
2. Assessment of the scope of impact, the extent of damage, and the agency’s response capabilities.
3. Internal reporting procedures for cyber security incidents.
4. Methods for notifying other agencies affected by the cyber security incident.
5. Drills covering the matters set out in the preceding four subparagraphs.
6. The reporting point of contact and contact methods for cyber security incident reporting.
7. Other matters relating to the reporting of cyber security incidents.
|
|
|
Article 5
|
Each agency shall stipulate operational guidelines for the response to cyber security incidents, the content of which shall include the following matters:
1. The organization of the response team.
2. Drills to be conducted before an incident occurs.
3. Damage-control mechanisms upon the occurrence of an incident.
4. Recovery, identification, investigation, and corrective mechanisms after an incident occurs.
5. Preservation of records relating to the incident.
6. Other matters relating to the response of cyber security incidents.
|
|
|
Article 6
|
A government agency shall, within one hour after becoming aware of a cyber security incident, report the matter on the system platform designated by the competent authority.
Where the level of the cyber security incident changes under the preceding paragraph, the government agency shall continue to update the report in accordance with the preceding paragraph.
Where reporting cannot be made in the manner specified in Paragraph 1 for any reason, the government agency shall report in another appropriate manner within the prescribed timeframe and state the reason why it was unable to report in the prescribed manner.
After the reason for being unable to report in the manner required under Paragraph 1 has been eliminated, the government agency shall report the matter retroactively in the prescribed manner.
|
|
|
Article 7
|
The agency notified pursuant to Paragraph 2, Article 17 of the Act shall, after receiving a report of a cyber security incident, complete its review of the incident level within the following timeframes and may change the level based on the review results:
1. Within eight hours after receipt of a report of a level 1 or level 2 cyber security incident.
2. Within two hours after receipt of a report of a major cyber security incident.
After completing the review under the preceding paragraph, the notified agency shall, within one hour, notify the competent authority of the review results and provide information on the basis for the review.
Upon receipt of the notification under the preceding paragraph, the competent authority shall further re-view the incident level based on the relevant information and may change the level based on the review results. However, where it deems it necessary, or where the notified agency fails to notify the review results as required, the competent authority may directly review the cyber security incident and change its level.
|
Info
|
|
Article 8
|
Upon becoming aware of a cyber security incident, a government agency shall, within the following timeframes, complete damage-control or recovery operations and notify the notified agency under Para-graph 2, Article 17 of the Act in the manner designated by the competent authority:
1. Within 72 hours after becoming aware of a level 1 or level 2 cyber security incident.
2. Within 36 hours after becoming aware of a major cyber security incident.
After completion of the damage control or recovery operations under the preceding paragraph, the gov-ernment agency shall continue the investigation and handling of the cyber security incident, and shall submit the investigation, handling, and corrective action report on the cyber security incident to the noti-fied agency referred to in the preceding paragraph within one month, in the manner designated by the competent authority.
The timeframe for submission of the investigation, handling, and corrective action report under the pre-ceding paragraph may be extended with the consent of the notified agency referred to in Paragraph 1.
The investigation, handling, and corrective action report referred to in Paragraph 2 shall include the mat-ters specified in Article 12 of the Enforcement Rules of the Act.
Where the notified agency referred to in Paragraph 1 deems it necessary, or finds any violation of laws or regulations, impropriety, or other matter requiring improvement in the damage-control or recovery oper-ations under the same paragraph or in the report submitted under Paragraph 2, it may require the govern-ment agency to provide explanations and make adjustments.
|
Info
|
|
Article 9
|
The agency notified pursuant to Paragraph 2, Article 17 of the Act shall, as circumstances require, provide necessary support or assistance with respect to the reporting and response operations for cyber security incidents carried out by its subordinate or supervised government agencies, and the following entities under its jurisdiction: township (town, city) offices, district offices of indigenous districts in special mu-nicipalities, township (town, city) representative councils, and representative councils of indigenous dis-tricts in special municipalities.
The competent authority shall, as circumstances require, provide necessary support or assistance for the response operations for cyber security incidents carried out by government agencies.
After a government agency becomes aware of a major cyber security incident, its Chief Information Se-curity Officer shall convene a meeting to discuss relevant matters and may request relevant agencies to provide assistance.
|
Info
|
|
Article 10
|
The directly affiliated agencies of the Office of the President, the National Security Council, and the Five Yuans shall plan and carry out cyber security drills for themselves or for their subordinate or supervised government agencies. Within one month after the drills are completed, they shall submit a report on their implementation and results to the competent authority. The drills shall include at least the following items:
1. Social engineering drills shall be conducted once every six months.
2. Reporting and response drills for cyber security incidents shall be conducted once every year.
The Office of the President, the National Security Council, the Five Yuans, and special municipality and county/city councils shall plan and conduct the cyber security drill operations referred to in the preceding paragraph.
Special municipality and county/city governments shall, in accordance with Paragraph 1, plan and carry out cyber security drills for themselves or their subordinate or supervised government agencies, as well as the following agencies:
1. The township (town, city) offices and district offices of indigenous districts in special municipalities under their jurisdiction, and their subordinate or supervised government agencies.
2. The representative councils of townships (towns, cities) and indigenous districts of special munici-palities referred to in the preceding subparagraph.
|
|
|
Article 11
|
A specific non-government agency shall, within one hour after becoming aware of a cyber security inci-dent, report the matter in the manner designated by the central competent authority in charge of the rele-vant sector.
Where the level of the cyber security incident changes under the preceding paragraph, the specific non-government agency shall continue to update the report in accordance with the preceding paragraph.
Where reporting cannot be made in the manner specified in Paragraph 1 for any reason, the specific non-government agency shall report in another appropriate manner within the prescribed timeframe and state the reason why it was unable to report in the prescribed manner.
After the reason for being unable to report in the manner required under Paragraph 1 has been eliminated, the specific non-government agency shall report the matter retroactively in the prescribed manner.
|
|
|
Article 12
|
After a specific non-government agency has completed reporting of a cyber security incident, the central competent authority in charge of the relevant sector shall complete its review of the incident level within the following timeframes, and may change the level based on the review results:
1. Within eight hours after receipt of a report of a level 1 or level 2 cyber security incident.
2. Within two hours after receipt of a report of a major cyber security incident.
After completing the review under the preceding paragraph, the central competent authority in charge of the relevant sector shall, within one hour, submit the review results, the basis for the review, and other necessary information to the competent authority in the manner specified by the competent authority.
Upon receipt of the information under the preceding paragraph, the competent authority may review the incident level and change it accordingly. However, where it deems it necessary, or where the central com-petent authority in charge of the relevant sector fails to report the review results as required, the competent authority may directly review the cyber security incident and change its level.
|
|
|
Article 13
|
Upon becoming aware of a cyber security incident, a specific non-government agency shall, within the following timeframes, complete damage-control or recovery operations and notify in the manner pre-scribed by the central competent authority in charge of the relevant sector:
1. Within 72 hours after becoming aware of a level 1 or level 2 cyber security incident.
2. Within 36 hours after becoming aware of a major cyber security incident.
After completing the damage-control or recovery operations under the preceding paragraph, the specific non-government agency shall continue the investigation and handling of the cyber security incident and shall submit an investigation, handling, and corrective action report within one month in the manner des-ignated by the central competent authority in charge of the relevant sector.
The timeframe for submission of the investigation, handling, and corrective action report under the pre-ceding paragraph may be extended with the consent of the central competent authority in charge of the relevant sector.
The investigation, handling, and corrective action report referred to in Paragraph 2 shall include the mat-ters specified in Article 12 of the Enforcement Rules of the Act.
Where the central competent authority in charge of the relevant sector deems it necessary, or finds any non-compliance with regulatory requirements, impropriety, or other matter requiring correction in the damage-control or recovery operations under Paragraph 1 or in the report submitted under Paragraph 2, it may require the specific non-government agency to provide explanations and make adjustments.
Upon reviewing the investigation, handling, and corrective action report on a major cyber security inci-dent submitted by the specific non-government agency, the central competent authority in charge of the relevant sector shall submit the report to the competent authority. Where the competent authority deems it necessary, or finds any non-compliance with regulatory requirements, impropriety, or other matter re-quiring correction, it may require the specific non-government agency to provide explanations and make adjustments.
|
Info
|
|
Article 14
|
The central competent authority in charge of the relevant sector shall, as circumstances require, provide necessary support or assistance with respect to the reporting and response operations for cyber security incidents carried out by the specific non-government agencies under its jurisdiction.
The competent authority shall, as circumstances require, provide necessary support or assistance for the response operations for cyber security incidents carried out by specific non-government agencies.
After a specific non-government agency becomes aware of a major cyber security incident, its Chief In-formation Security Officer shall convene a meeting to discuss relevant matters and may request relevant agencies to provide assistance.
|
|
|
Article 15
|
For cyber security incidents affecting agencies, the competent authority may convene meetings based on the scope of impact and the extent of damage, and invite relevant agencies to discuss damage control, recovery, and other related matters in connection with the incident.
|
|
|
Article 16
|
Under Paragraph 2, Article 17 of the Act, government agencies shall cooperate with cyber security drill operations planned or conducted by the notified agency, the contents of which may include the following matters:
1. Social engineering drills.
2. Reporting and response drills for cyber security incidents.
3. Cyber offense and defense drills.
4. Scenario-based drills.
5. Other necessary drills.
Under the preceding paragraph, specific non-government agencies shall cooperate with cyber security drill operations planned or conducted by the central competent authority in charge of the relevant sector. However, where such a drill may infringe upon the rights or legitimate interests of a specific non-govern-ment agency, it may be conducted only with the agency’s prior written consent.
Where cyber security drill operations planned and conducted by the competent authority under Paragraph 4, Article 10 of the Act may infringe upon the rights or legitimate interests of a specific non-government agency, such drill operations may be conducted only with the agency’s prior written consent.
|
Info
|
|
Article 17
|
For all cyber security drill operations planned and conducted in accordance with the preceding article, any participant who becomes aware of confidential or sensitive information of a government agency or a specific non-government agency during the course of the drills shall keep such information confidential.
|
Info
|
|
Article 18
|
If, before these Regulations enter into force, a government agency has, independently or jointly with other agencies, formulated a reporting and response mechanism for itself, its subordinate or supervised govern-ment agencies, or the specific non-government agencies under its jurisdiction, and has implemented such mechanism for one year or more, the agency, along with its subordinate or supervised government agen-cies or the specific non-government agencies under its jurisdiction, may, upon approval by the competent authority, continue to handle the reporting and response of cyber security incidents in accordance with such mechanism.
Where the reporting and response mechanism referred to in the preceding paragraph is amended, the amendment shall be resubmitted to the competent authority for approval.
|
|
|
Article 19
|
The competent authority may delegate matters relating to the reporting, response, and drills for cyber security incidents, as well as other related tasks set out in these Regulations, to the Administration for Cyber Security, Ministry of Digital Affairs.
|
|
|
Article 20
|
These Regulations shall come into effect on the date of promulgation.
|
|