|
Article 7
|
When agencies outsource the establishment, maintenance, or operation of information and communica-tion systems, or the provision of information and communication services in accordance with Article 10 of the Act (hereinafter referred to as “outsourced services”), they shall pay attention to the following matters when selecting and supervising contractors:<br/>1. The contractor shall be equipped with sufficient cyber security personnel who have undergone ap-propriate qualification training, hold cyber security professional certifications, or possess equivalent professional experience in related service areas.<br/>2. Whether the outsourced services may be further subcontracted, the permissible scope of and coun-terparties for such subcontracting, and the cyber security maintenance measures to be adopted by subcontractors.<br/>3. Personnel executing outsourced services that involve classified national security information shall undergo suitability reviews and be subject to exit restrictions in compliance with the Classified Na-tional Security Information Protection Act.<br/>4. For outsourced services containing customized information and communication system develop-ment, the contractor must provide security testing certification. When the information and commu-nication system is classified as a core information and communication system of the contracting agency or the contract value exceeds NT$10 million, the agency shall either perform its own security testing or engage a third party to conduct it. Where the use of systems or resources not developed by the contractor is involved, the non-self-developed content and its source shall be marked, and proof of authorization shall be provided.<br/>5. When a contractor executes outsourced services and violates cyber security laws or regulations or becomes aware of any cyber security incidents, the contractor shall immediately notify the contract-ing agency and implement appropriate remedial measures.<br/>6. Ensuring that upon termination or dissolution of the outsourcing relationship, the contractor returns, transfers, deletes, or destroys all data held in the course of contract performance.<br/>7. Other cyber security and maintenance measures to be implemented by the contractor.<br/>8. The contracting agency shall periodically, or upon learning of any cyber security incidents that may impact the outsourced services, verify the execution of such operations through audits or other suit-able methods.<br/>When conducting suitability reviews for Subparagraph 3 of the preceding paragraph, the contracting agency shall consider the classification level and content of classified national security information in-volved in the outsourced services. Within the necessary scope, it shall verify whether personnel of the contractor responsible for executing such business and other personnel who may have access to the clas-sified national security information have any of the following circumstances:<br/>1. Persons who have been convicted by a final judgment of any offense under the Chapter of Offenses Against Computer Security of the Criminal Code, or who are currently wanted in unresolved cases related to such offenses.<br/>2. Persons who have been convicted of Offenses of Disclosure of Secrets, or who, after the end of the period of national mobilization for suppression of communist rebellion, committed Offenses Against the Internal Security of the State or Offenses Against the External Security of the State, and have been convicted by a final judgment or are currently wanted in unresolved cases.<br/>3. Persons who were previously employed as civil servants and received a disciplinary sanction or an administrative action of a demerit or heavier for violating relevant security and confidentiality reg-ulations.<br/>4. Persons who have been induced or coerced by a foreign government or authorities from Mainland Area, Hong Kong, or Macau to carry out actions that harm national security or the country's signif-icant interests.<br/>5. Other specific matters related to the protection of classified national security information.<br/>Circumstances as described in Subparagraph 3, Paragraph 1 shall be documented in the tender announce-ment, tender documents, and contract. Prior to conducting suitability reviews, written consent from the persons concerned is also required.
|