|
Article 1
|
These Enforcement Rules are stipulated in accordance with Article 34 of the Cyber Security Management Act (hereinafter referred to as “the Act”).
|
Info
|
|
Article 2
|
The cyber security competent authority referred to in Paragraph 2 of Article 2 of the Act is the Admin-istration for Cyber Security of the Ministry of Digital Affairs.
|
Info
|
|
Article 3
|
As referred to in Subparagraph 5 of Article 3 of the Act, military authorities means the Ministry of Na-tional Defense and its subordinate organs, institutions, military units, and schools. Intelligence authorities means the authorities specified in Subparagraph 1 of Paragraph 1 and Paragraph 2 of Article 3 of the Na-tional Intelligence Work Act.
|
Info
|
|
Article 4
|
Before designating enterprises, organizations, or institutions under government control pursuant to Article 3, Paragraph 10 of the Act, the central competent authority in charge of the relevant sector shall pro-vide them with an opportunity to present their views. The same requirement applies to the designation of critical infrastructure providers under Paragraph 1 of Article 20 of the Act.
|
Info
|
|
Article 5
|
A major cyber security incident as defined in Subparagraph 5 of Paragraph 1 of Article 4 of the Act re-fers to an incident involving a private sector entity that meets one of the following criteria and poses a significant risk to social public interest, national welfare, or economic activity, while also drawing sub-stantial public attention:
1. Critical breach of core business information.
2. Serious alteration of core business information or core information and communication system.
3. Impact on or interruption of core information and communication system, which cannot be recov-ered within tolerable interruption time.
|
Info
|
|
Article 6
|
When government agencies or specific non-government agencies (hereinafter referred to as “each agen-cy”) submit an improvement report in accordance with Paragraph 2 of Article 8, Paragraph 1 of Article 16, Paragraph 5 of Article 20 or Paragraph 3 of Article 21 of the Act, they shall present the following information based on the audit findings regarding the implementation of their cyber security maintenance plans:
1. Missing or items requiring improvement and enhancement.
2. Root cause.
3. Measures implemented across management, technical, human resources, or other resource dimen-sions to correct deficiencies or strengthen areas requiring improvement.
4. The scheduled completion timeline for the aforementioned measures and the methods for tracking implementation progress.
Following submission of the improvement report as stipulated in the preceding paragraph, each agency shall submit a report on the implementation status of the improvement report within the timeframe and according to the procedures designated by the audit agency.
|
Info
|
|
Article 7
|
When government agencies outsource the establishment, maintenance, operation, or provision of information and communication services for information and communication systems in accordance with Article 10 of the Act (collectively referred to as “entrusted business”), they shall pay attention to the fol-lowing matters when selecting and supervising contractors:
1. The contractor shall be equipped with sufficient cyber security personnel who are appropriately qualified, hold cyber security professional licenses, or possess equivalent professional experience in related business areas.
2. Whether the contractor is permitted to sub-delegate the entrusted business, the permissible scope and parties for sub-delegation, and the cyber security and maintenance measures that the sub-delegated contractor must implement.
3. Personnel executing entrusted business that involves classified national security information must undergo competency audit and are subject to exit restrictions in compliance with the Classified Na-tional Security Information Protection Act.
4. For the entrusted business containing customized information and communication system development, contractor must provide security testing certification. When the information and communication system is classified as a core information and communication system of the contracting agency or the contract value exceeds NT$10 million, the agency shall either perform its own security test-ing or engage a third party to conduct it. When it involves the use of systems or resources devel-oped by non-contractors, the non-self-developed content and its source shall be marked and proof of authorization shall be provided.
5. When a contractor executes entrusted business and violates information and communication security laws or regulations, or becomes aware of any information and communication security incidents, the contractor shall immediately notify the contracting agency and implement appropriate remedial measures.
6. Upon termination or dissolution of the entrustment relationship, the contractor must confirm the re-turn, transfer, deletion, or destruction of all data held in the course of contract performance.
7. Other cyber security and maintenance measures to be implemented by the contractor.
8. The contracting agency shall periodically, or upon learning of any cyber security incidents that may impact the entrusted business, verify the execution of such operations through audits or other suita-ble methods.
When conducting competency audit for the Subparagraph 3 mentioned above, the contracting agency should consider the classification level and content of classified national security information involved in the entrusted business. Within the necessary scope, it shall verify whether personnel of the contractor re-sponsible for executing such business and other personnel who may have access to these classified na-tional security information have any of the following circumstances:
1. Individuals who have been convicted of computer misuse offenses, or who are currently wanted in unresolved cases related to such offenses.
2. Those who have been convicted of leaking secrets, or after the end of the period of national mobili-zation in suppression of communist rebellion, persons who previously committed internal rebellion or external aggression, and who have been finally convicted or remain wanted with unresolved cas-es.
3. Previously employed as a civil servant and received administrative sanctions at the level of demerit or higher for breaching security and confidentiality requirements.
4. Has been induced or forced by a foreign government, authorities from mainland China, Hong Kong, or Macau to carry out actions that harm national security or the country’s significant inter-ests.
5. Other specific matters related to the protection of classified national security information.
Circumstances as described in Subparagraph 3 of Paragraph 1, must be documented in the tender an-nouncement, tender documents, and contract. Prior to conducting competency audit, written consent from all relevant parties is also required.
|
Info
|
|
Article 8
|
The third-party cooperation mechanism as referred to in Paragraph 4 of Article 10 of the Act means an impartial and professional institution that is independent from the competent authority, participating government agency, and specific non-government agency.
|
Info
|
|
Article 9
|
The cyber security maintenance plans specified in Article 13, Paragraph 2 of Article 20, and Paragraph 1 of Article 21 of the Act shall include the following items:
1. Core business and their importance.
2. Cyber security policies and goals.
3. Cyber security promotion organization.
4. Allocation of full-time staff and funding.
5. Establishment of cyber security officer.
6. Conduct an inventory of information and communication systems, and identify core information and communication systems and related assets.
7. Cyber security risk management.
8. Cyber security defense and control measures.
9. The notification, response and exercise mechanism of the cyber security incident.
10. Mechanisms for assessing and responding to cyber security information.
11. Management measures for outsourced information and communication systems or services.
12. Evaluation framework for cyber security compliance in business operations conducted by organiza-tional personnel.
13. Continuous improvement of cyber security maintenance plans and implementation status and per-formance management mechanisms.
Various agencies shall include the execution results and relevant explanations of each subparagraph men-tioned above when submitting reports on the implementation status of their cyber security maintenance plans as required under Article 14, Paragraph 3 of Article 20, or Paragraph 2 of Article 21 of the Act.
The development, revision, and implementation of cyber security maintenance plans, as well as the sub-mission of implementation reports, may be carried out by the receiving agencies or their subordinate or supervisory government agencies, their governed villages (townships/cities), mountain indigenous district offices of special municipalities, and the subordinate or supervisory government agencies of such gov-erned villages (townships/cities) and mountain indigenous district offices of special municipalities, and the representative councils of the villages (townships/cities) and Mountain Indigenous Districts of Spe-cial Municipalities councils, with consent from the agencies receiving such implementation reports under Article 14 of the Act. Similarly, specific non-government agencies may delegate these responsibilities to the central competent authority in charge of the relevant sector, the subordinate or supervisory government agency of the central competent authority in charge of the relevant sector, the specific non-government agency under their charge by the central authority in charge of relevant industry, subject to approval from the central competent authority in charge of the relevant sector.
|
Info
|
|
Article 10
|
The scope of core business referred to in the Subparagraph 1 of the Paragraph 1 of the preceding article shall be as follows:
1. Government agencies can, based on their organizational regulations, reasonably determine that the business falls within their core responsibilities and authority.
2. The operations necessary for the operation and maintenance of each agency and the provision of critical infrastructure.
3. The primary services or functions of public enterprises, specific foundations, and organizations or institutions controlled by the government.
4. Business operations of various agencies that fall under Subparagraphs 1 to 5 of Article 4 or Subpar-agraphs 1 to 5 of Article 5 of the Regulations on Classification of Cyber Security Responsibility Levels.
The core information and communication system referred to in Subparagraph 6, Paragraph 1 of the pre-ceding article means a system necessary to support the continuity of core business operations, or any sys-tem determined to have a high protection requirement level according to the Regulations on Classifica-tion of Cyber Security Responsibility Levels set forth in Schedule 9 of the Principles of Classification of Levels of Defense Requirements of Information and Communication System.
|
Info
|
|
Article 11
|
With respect to the superior agency as defined in Article 14 of the Act, the following shall apply at the central agency level:
1. The Office of the President and the Executive Yuan are subordinate to secondary agencies and in-dependent agencies. The Examination Yuan and the Control Yuan are subordinate to secondary agencies. They are the Office of the President, the Executive Yuan, the Examination Yuan and the Control Yuan.
2. Agencies at the third level and below under the Executive Yuan, Examination Yuan, and Control Yuan are designated as second-level agencies within their respective jurisdictions.
3. The Judicial Yuan comprises the courts directly under its jurisdiction and the Judges Academy. The Taiwan High Court comprises its various branch courts, local courts, and the Taiwan Kaohsiung Juvenile and Family Court. The Fuchien High Court Kinmen Branch Court comprises its local courts.
|
Info
|
|
Article 12
|
Reports on the investigation, handling, and improvement of cyber security incidents, as specified in Paragraph 3 of Article 17 and Paragraph 3 of Article 24 of the Act, shall include the following items:
1. The time of incident occurrence or discovery, and the completion time of damage control and re-covery operations.
2. Assessment of the event’s impact scope and damage.
3. The history and progression of damage control and restoration procedures.
4. The history and progression of incident investigation and handling procedures.
5. Root cause analysis of incidents.
6. Measures implemented across management, technical, human resources, or other aspects to prevent the recurrence of similar incidents.
7. The scheduled completion timeline for the aforementioned measures and performance tracking mechanism.
|
Info
|
|
Article 13
|
The term “major cyber security incident” referred to in Paragraph 5 of Article 17, Paragraph 2 of Article 18, Paragraphs 3 and 5 of Article 24, Paragraphs 1 and 2 of Article 25 of the Act means Level 3 and Level 4 cyber security incidents as defined in Paragraphs 4 and 5 of Article 2 of the Regulations Govern-ing the Reporting, Response, and Drills of Cyber Security Incidents.
|
Info
|
|
Article 14
|
When the competent authority, an agency receiving reports on the implementation of cyber security maintenance plans as specified in Article 14 of the Act, or a central competent authority in charge of the relevant sector becomes aware of a major cyber security incident, the announcement of necessary information and response measures pursuant to Paragraph 5 of Article 17, and Paragraph 5 of Article 24 of the Act must include the following details: the time when the incident occurred or was discovered, the cause, the extent of impact, the control status, and the subsequent improvement measures.
The following circumstances regarding necessary content and response measures related to the preceding paragraph and the incident shall not be publicly announced:
1. The information involving business secret or relating to business operation of individual, juristic person or group, of which the disclosure might infringe upon right or other legitimate interest of the government agency, individual, juristic persons or group; unless it is otherwise provided by law, or necessary for public welfare, or necessary for the protection of the lives, bodies or health of the people, or with consent of the party involved.
2. Other circumstances under which cyber security information should be kept confidential, should be restricted on or prohibited from disclosure thereof.
Where the necessary content and response measures related to the incidents in Paragraph 1 contain cir-cumstances that should not be disclosed, only the other parts may be announced.
|
Info
|
|
Article 15
|
These Enforcement Rules shall come into effect on the date of promulgation.
|
|