| Article 10 |
(Security Management)
An organization shall pay attention to the following in the course of a project:
- Where an information service supplier overspecializes, a register shall be compiled to facilitate management, and its information security event identification, response, and risk mitigation mechanisms shall be ascertained.
- A foreign investment organization shall comply with the following if it outsources information to the head office or an overseas subsidiary for offshore processing for the purposes of internal division of work (Outsourcer Institution):
- The organization shall fully understand and maintain access to the status of collection, processing, use, international transmission, and control of client information by the Outsourcer Institution.
- Client information made available by the organization to the Outsourcer Institution shall be limited to necessary information that directly pertains to the outsourced matter.
- The organization shall require the Outsourcer Institution to comply with the following:
- The organization’s client information shall be used and processed only by authorized personnel of the Outsourcer Institution within the scope of the outsourced matter.
- The organization’s client information shall be clearly separated from the data of the Outsourcer Institution and data of other institutions processed by the Outsourcer Institution.
- Client information of the organization as processed by the Outsourcer Institution shall be made available to the organization promptly.
- In the event of the international transmission of classified data, the organization shall develop an encrypted transmission mechanism, confirm the compliance of the Outsourcer Institution’s collection, processing, use, international transmission, and control of client information with the applicable provisions of Taiwan’s Personal Data Protection Act, obtain authorization from the subject prior to transmission, not violate any restriction of a competent authority on international transmission, and keep complete audit records.
- The organization shall manage and periodically examine (at least biannually) the field operation and authorization of physical access and logic access of the information service supplier, including the operational site’s configurations, network equipment and host connection, computer and telephone use, access to and from the computer room, temporary pass application, etc.
- The organization shall include in its security management personnel of information service suppliers stationed within the organization. Security control measures shall be in place if use of intranet resources is contemplated (e.g., in the event of adaptation or a separate network, physical separation shall be made with the intranet).
- An organization shall request the information service supplier for a list of stationed personnel.
|
|