|
Article 7
|
Qualifications and obligations of the assessment unit
- An external professional institution may be entrusted or an internal company unit may act as the assessment unit. In the event of an external professional institution, it shall be no conflicts of interest with the object of information security assessment. In the event of an internal unit, it shall be independent from the original computer system development and maintenance units etc.
- The assessment unit conducting information and communication security assessments of Category I information and communication systems shall meet the qualification requirements set forth in all of the following subparagraphs. The one conducting information and communication security assessments of Category II and III information and communication security systems shall meet any of the relevant qualification requirements based on the assessment item requirements:
- Possess knowledge of information and communication security management, such as holding a Certified Information Security Manager (CISM) certification or passing the Information Security Management System Lead Auditor (ISO 27001 LA) examination etc.
- Possess technical capabilities for information and communication security, such as holding a Certified Information Systems Security Professional (CISSP) certification etc.
- Possess capabilities to simulate hacker attacks, such as holding a Certified Ethical Hacking (CEH) certification or Certified Incident Handler (CIH) certification etc.
- Be familiar with financial industry carrier applications, system development, or audit experience.
- The assessment unit shall sign a confidentiality agreement and provide appropriate protective measures to prevent data leakage for all data pertaining to the case, including inspection documents, test logs, configuration parameters, source codes, and captured packet data etc.
- No assessment unit and personnel may conceal deficiencies, make misrepresentations, divulge or misuse data etc.
|