A service enterprise that uses a computerized information processing system shall, in addition to clearly differentiating the functions and duties of information and user departments, at least include the following control procedures:
- Clear demarcation of the functions and duties of the information-processing department.
- Control of system development and program modification.
- Control of preparation of system documentation.
- Program and data access control.
- Data input/output control.
- Data processing control.
- File and facility security control.
- Control of purchase, usage, and maintenance of hardware and system software.
- Control of system recovery plan and testing procedures.
- Control of information and communications security inspection.
- Control of relevant procedures, if required, for disclosing and reporting public information on a website designated by the competent authority.