|
Article 11
|
Agencies shall handle the matters set out in Appendices 1 through 8 in accordance with their cyber secu rity responsibility levels.<br/>Information and communication systems developed by agencies themselves or through outsourcing shall be classified in accordance with Principles for Classifying Protection Requirement Levels for Information and Communication Systems set out in Appendix 9, and the control measures set out in Appendix 10, Security Baselines for Information and Communication Systems, shall be implemented accordingly. Where the central competent authority in charge of the relevant sector of a specific non-government agency deems it necessary to prescribe separate defense standards for specific types of information and communication systems, it may draft such defense standards and submit them to the competent authority for approval, after which those standards shall apply.<br/>With the consent of their superior or supervisory agency, government agencies may apply mutatis mutandis the relevant provisions on defense standards prescribed by the central competent authority in charge of the relevant sector under the preceding paragraph; the same shall apply to other specific non-government agencies with the consent of their respective central competent authority in charge of the relevant sector.<br/>Where an agency, in handling the matters set out in Appendices 1 through 8 or implementing the control measures set out in Appendix 10, encounters manifest difficulty in handling or implementing a specific matter or control measure due to technical limitations or factors such as the design, structure, or nature of an individual information and communication system, it may, with the consent of the agency that submits its level under the latter part of Paragraph 1 and Paragraph 2 of Article 3, or of the agency that approves its level under the former part of Paragraph 1 and Paragraph 3 of the same Article, and after reporting to the competent authority for recordation, be exempted from handling or implementing that matter or control measure. Where the agency that submits the level falls under the foregoing circumstances, it may be exempted with the consent of the competent authority; where the agency that approves the level falls under such circumstances, it may be exempted after reporting to the competent authority for recordation.<br/>Government agencies shall, in the manner designated by the competent authority, submit the implementation status of the matters set out in Paragraphs 1 and 2.<br/>The central competent authority in charge of the relevant sector may require the specific non-government agencies under its jurisdiction to submit the implementation status of the matters set out in Paragraphs 1 and 2 in the manner it designates.<br/>Where agencies are required, as a result of amendments to Appendices 1 through 10, to add or modify items within a specified period, that period shall be calculated from the effective date of the amendments.
|