Article 4
|
When each agency outsources parties for setup, maintenance of information and communication system, or provision of information and communication service (hereinafter referred to as the “outsourced business”) in accordance with Article 9 of the Act, attention should be paid to the following matters for the selection and supervision of the outsourced party.<br/>1. The procedures and environment of the outsourced party in conducting outsourced business shall have completed cyber security management measures or have passed the verification of third party.<br/>2. The outsourced party shall deploy sufficient and properly qualified and trained cyber security professionals who hold cyber security professional licenses or have similar business experience.<br/>3. Whether the outsourced party can second-tier subcontract outsourced business’ scopes and objects that may be second-tier subcontract and the cyber security maintenance measures that the second-tier subcontractor should have.<br/>4. If the outsourced business involves classified national security information, the person who conduct the outsourced business shall be reviewed and the departure shall be controlled in accordance with the Classified National Security Information Protection Act.<br/>5. If the outsourced business includes customized development of information and communication system, the outsourced party shall provide security testing certificate of such information and communication system; if such information and communications system is the core system of the outsourcing agency, or the outsourcing amount exceeds NT$10,000,000, the outsourcing agency shall conduct itself or contract third party to conduct the security testing; if the use of system or resource other than those developed by the outsourced party is involved, content and source of those not developed by the outsourced party shall be indicated and the certification of authorization thereof shall be provided.<br/>6. If the outsourced party conducts outsourced businesses in violation of the relevant regulatory requirement of cyber security or becomes aware of cyber security incident, it shall immediately notify the outsourcing agency thereof and take remedy measure therefor.<br/>7. If the entrusting relationship is terminated or canceled, it shall be confirmed that the outsourced party has returned, handed over, deleted or destroyed all materials in its possession for the performance of the contract.<br/>8. The outsourced party shall take other relevant measure for cyber security.<br/>9. The outsourcing agency shall, periodically, or whenever it becomes aware of the occurrence of cyber security incident of the outsourced party that might affect the outsourced business, confirm the implementation status of the outsourced business by audit or other appropriate method.<br/>In conducting the competency audit under Subparagraph 4 of the preceding paragraph, the outsourcing agency shall take into consideration the confidential level and content of the classified national security information in which the outsourced business is involved, and shall, to the necessary extent, check whether the personnel of the outsourced party who performs such business or other personnel who might access such classified national security information has any of the following circumstances:<br/>1. One who had committed the offense of disclosing secret, or had committed the offense of civil disturbance or treason after the termination of the Period of National Mobilization in Suppression of Communist Rebellion, and was finally convicted, or was put on a wanted list which has not been closed.<br/>2. One who was aformer public official, was subject to administrative penalty or demerit record due to a violation of relevant regulatory for security confidentiality.<br/>3. One who was induced or coerced by foreign government, mainland China, Hong Kong or Macau government to engage in activity unfavorable to national security or significant interest of the nation.<br/>4. Other concrete item relating to the protection of classified national security information.<br/>The circumstance under Subparagraph 4 of Paragraph 1 shall be stated in the tender notice, tender document and contract; before the verification of the competency audit, the relevant personnel shall agree in writing document.
|