| Article 20 |
(Control and management of release of a mobile app)
- Before releasing its mobile app, an organization shallexamine to make sure the authorization required for the mobile app is adequate for the services to be provided. First release or changes to authorization should be approved by the information security and compliance departments and records should be kept to help a comprehensive evaluation to determine whether the notification obligations under the Personal Data Protection Act have been performed.
- An organization shall release its mobile app on a reliable app store or website and shall at the same time of the release provide information about what sensitive information may be accessed, resources of mobile device and declared authorization and use.
- For a mobile app to be used by investors, an organization shall, prior to the first release and on a yearly basis, appoint a qualified third-party testing laboratory certified by Taiwan Accreditation Foundation (TAF) to conduct and complete the information security testing with a satisfied test result. The test should be performed in consistent with the basic mobile app information security tests published by the implementing organization Mobile Application Security Alliance, appointed by the Industrial Development Bureau, Ministry of Economic Affairs.
- When updates on the released app are necessary within one year after the laboratory test, the organization shall perform the test or appoint a third party to perform the test on important updates prior to every release. Important updates are changes to the functions relating to “placing orders”, “accessing account information”, “identity verification” and “changes relating to client’s important rights and interest”. The tests should be based on OWASP MOBILE TOP 10 and the relating test records should be kept.
- The organization shall establish the review system based on the basic mobile app information security testspublished by the implementing organization Mobile Application Security Alliance, appointed by the Industrial Development Bureau, Ministry of Economic Affairs, for the test reports delivered by the third-party laboratory to ensure the tests have been conducted in accordance with the requirements, and the review records should be kept.
|
|