|
Article 8
|
Assessment Report
- The information and communication system information and communication security assessment report shall include at least the qualifications of the assessment personnel, scope of the assessment, assessment items and objects, assessment records, deficiencies identified during the assessment, severity of deficiencies, categories of deficiencies, risk explanations, specific recommendations on rectification, and results of social engineering drills.
- The company shall classify risk levels based on the level of deficiencies in the assessment report, and formulate corresponding control measures and rectification deadlines for each risk and submit the same to the audit unit for follow-up and review of the rectification of deficiencies.
- The review of deficiencies identified in the assessment report shall be submitted to the board of directors or a managerial department authorized by the board, provided in the event of a Taiwan branch of a foreign securities firm, such may be carried out by the responsible person of the branch, ensuring the rectification of deficiencies is supervised by senior management.
- The assessment report shall be retained together with documents relating to the rectification of deficiencies etc. for at least five years.
|