|
Article 9
|
The cyber security maintenance plans specified in Article 13; Paragraph 2, Article 20; and Paragraph 1, Article 21 of the Act shall include the following items:<br/>1. Core businesses and their significance.<br/>2. Cyber security policies and goals.<br/>3. Cyber security promotion organization.<br/>4. Allocation of full-time staff and funding.<br/>5. Appointment of a Chief Information Security Officer.<br/>6. Inventory of information and communication systems and designation of core information and com-munication systems and related assets.<br/>7. Cyber security risk management.<br/>8. Cyber security protection and control measures.<br/>9. The reporting, response, and drill mechanisms for cyber security incidents.<br/>10. Mechanisms for assessing and responding to cyber security information.<br/>11. Management measures for outsourced information and communication systems or services.<br/>12. Performance evaluation mechanism for personnel whose duties involve cyber security matters.<br/>13. Continuous improvement of cyber security maintenance plans and implementation status and per-formance management mechanisms.<br/>Agencies shall include the execution results and relevant explanations of each subparagraph mentioned above when submitting reports on the implementation status of their cyber security maintenance plans as required under Article 14; Paragraph 3, Article 20; or Paragraph 2, Article 21 of the Act.<br/>The formulation, revision, and implementation of cyber security maintenance plans referred to in Para-graph 1, as well as the submission of the implementation status referred to in the preceding paragraph, may be carried out by the receiving agency, its subordinate or supervised government agencies, or the following entities under its jurisdiction: township (town, city) offices, district offices of indigenous dis-tricts in special municipalities, township (town, city) representative councils, and representative councils of indigenous districts in special municipalities, provided that the government agency obtains the consent of the agency that receives the implementation status of its cyber security maintenance plan pursuant to Article 14 of the Act. For a specific non-government agency, the matters referred to in the preceding paragraph may, subject to the consent of its central competent authority in charge of the relevant sector, be carried out by such central competent authority, or the subordinate or supervised government agencies or specific non-government agencies under the jurisdiction of such central competent authority.
|