|
Article 3
|
Except for cause by force majeure, the competent authority shall select and determine the specific non-government agencies (hereinafter referred to as the “audited agency”) for each quarter of the year, and may audit the implementation of their cyber security maintenance plans through onsite audit every year.<br/>In selecting and determining the audited agencies under the preceding paragraph, the competent authority shall give comprehensive consideration to the significance and confidential sensitivities of its businesses, the size and nature of their cyber systems, the frequencies and degrees of occurrence of cyber security incidents, the results of cyber offense and defense exercise, the frequencies and results of audits conducted by the competent authority or the central authority in charge of the relevant industry over past years, or other factors relating to cyber security.<br/>In conducting the audit under Paragraph 1, the competent authority shall establish the audit program, the content of which shall include the basis and purposes, time period, essential fields of the audit, the manner of formation of the audit team, confidentiality obligation, the method, standards and items of the audit, and assistance issues from the central authority in charge of relevant industry.<br/>In determining the essential fields, standards and items of the audit under the preceding paragraph, the competent authority shall take into comprehensive consideration the cyber security policy of our country, domestic and foreign cyber security trends, the contents and results of past audit programs, and any other factors relating to the proper allocation of audit resources or audit effectiveness.
|