Security Organization (CC-13000, annual audit)
- The company shall follow the requirements to have appropriate human resources and equipment available for planning and monitoring of the information security system and implementing the information security management operation. The job responsibilities of the relevant staff and their other concurrent responsibilities shall be in compliance with regulations.
- The company shall designate a vice president or high level supervisor to be responsible for coordinating and implementing information security management and, where necessary, may also establish an interdepartmental " Information Security Task Force" to handle overall coordination and discussion of theinformation security policy, planning, and resource allocation etc.
- As necessary for the purposes of information security management, the company shall specifically assign personnel or unit(s) to be responsible for planning and implementing information security work, and the assigned staff shall attend regular information security professional programs and trainings of at least 15 hours and pass the assessment in year. Other staff with access to information system shall attend information security awareness promotion programs of at least three hours in a year.
- If the company lacks sufficientinformation security manpower, skills, or experience, it may retain external scholars, experts, or professional private institutions and groups to provide information security consulting services.
- The authority and duties of the company's information processing department shall be clearly differentiated from those of its business units.