資通安全管理法及子法彙編英譯合併檔

Cyber Security Management Act
&
Related Regulations
Executive Yuan
November 2019
Table of Contents
Part 1: The Act and Related Regulations ................................ 1
Cyber Security Management Act ........................................... 1
Enforcement Rules of Cyber Security Management Act .... 15
Regulations on Classification of Cyber Security
Responsibility Levels ........................................................... 25
Regulations on the Notification and Response of Cyber
Security Incident .................................................................. 70
Regulations on Audit of Implementation of Cyber Security
Maintenance Plan of Specific Non-Government Agency ... 89
Cyber Security Information Sharing Regulations ............... 95
Part 2: The comparison table of Chinese and English ....... 100

Cyber Security Management Act ....................................... 100
Enforcement Rules of Cyber Security Management Act .. 111
Regulations on Classification of Cyber Security
Responsibility Levels ......................................................... 119
Regulations on the Notification and Response of Cyber
Security Incident ................................................................ 163
Regulations on Audit of Implementation of Cyber Security
Maintenance Plan of Specific Non-Government Agency . 175
Cyber Security Information Sharing Regulations ............. 180
Part 1: The Act and Related Regulations
I. Cyber Security Management Act
1. Enacted and promulgated a total twenty-three articles of the Act by Presidential Order
Hua Zong 1 Yi Zi No. 10700060021 on July 6, 2018; The implementation date of the
Act shall be stipulated by the competent authority.
2. Issued by Executive Yuan Order yuan tai hu zi No. 1070217128 on December 5, 2018.
The implementation date of the Act was stipulated on January 1, 2019.
Chapter 1 General Provision
Article 1 This Cyber Security Management Act (hereinafter referred to

as the Act) is duly stipulated in an effort to positively carry
out the national cyber security policy, accelerate the
construction of environment for national cyber security to
safeguard national security, and protect public interests of the
entire society.
Article 2 The competent authority over the Act is the Executive Yuan.
Article 3 The terms under the Act are defined as follows:
1. Information and communication system: That refers to the

system to be used to collect, control, transmit, store,
circulate, delete information or to make other processing,
using and sharing of such information.
2. Information and communication service: That refers to the

service to be used to collect, control, transmit, store,
1
circulate, delete information or to make other processing,
use and sharing of such information.
3. Cyber security: That refers to such effort to prevent

information and communication system or information
from being unauthorized access, use, control, disclosure,
damage, alteration, destruction or other infringement to
assure the confidentiality, integrity and availability of
information and system.
4. Cyber security incident: That refers to an event where the

state of the system, service or network ,through
identification, likely shows violation of the cyber
security policy, or failure of the security protective
measures, thus adversely affect performance of
information and communication system function, and
constitute a threat against the cyber security policy.
5. Government agency: That refers to central, local

government agency (institution) or public juristic person
that exercises public power according to law, excluding
military and intelligence agency.
6. Specific non-government agency: That refers to critical

infrastructure provider, government-owned enterprises
and government-endowed foundation.
7. Critical infrastructure: That refers to asset, system or

network, either physical or virtual, once discontinued
from operation or becoming less effective, would lead to
2
significant negative impact upon the national security,
public interests, living standard of citizen and economic
activities. Which shall be re-examined and promulgated
by the competent authority regularly.
8. Critical infrastructure provider: That refers to the ones

who maintain or provide critical infrastructure either in
whole or in part, as designated by the central authority in
charge of relevant industry, which shall be submitted to
the competent authority for ratification.
9. Government-endowed foundation: That refers to a

foundation of which the operation and capital employment
plan of its funds shall be submitted to the Legislative Yuan
in accordance with Paragraph 3 of Article 41 of the
Budget Act and its annual budget statement shall be
submitted to the Legislative Yuan for deliberation in
accordance with Paragraph 4 of the same Article.
Article 4 In an effort to promote cyber security, the government shall

provide resources, and integrate the momentum of both
civilian groups and private sectors, and boost cyber security
awareness of all people, and implement the following issues:
1. Cultivation of cyber security professionals.
2. Cyber security technology research and development,

integration, application, and industry-academia
cooperation, as well as interchange and cooperation with
international community.
3
3. Development of cyber security industry.
4. Development of cyber security related software and

hardware specifications, relevant services and verification
mechanism.
Issues Promotion in the preceding Paragraph shall be

stipulated by the competent authority under the national cyber
security program.
Article 5 The competent authority shall plan and promote the cyber
security policy, and the cyber security technology
development, and interchange and cooperation with
international community, and the comprehensive cyber
security protection relevant undertakings, as well as
announce the report of national cyber security status, the
summary auditing report on the implementation of the cyber
security maintenance plan for the government agency, and the
national cyber security program.
The status report, summary auditing report and the national

cyber security programs of the preceding Paragraph shall be
submitted to the Legislative Yuan for review.
Article 6 The competent authority may commission or entrust other

government agency, juristic person or organization to
implement integrated protection of cyber security,
interchange and cooperation with international community,
and other cyber security related issues.
4
The government agency, juristic person or organization, or
second-tier subcontractor of the preceding Paragraph shall
not divulge the secret of critical infrastructure provider which
becomes known in the process of enforcement or implement
of relevant issues.
Article 7 The competent authority shall stipulate the cyber security

responsibility levels by considering the criteria on the
importance, confidentiality and sensitivity of the business,
the hierarchy of the agency, and the category, quantity and
attribute of the information reserved or processed, as well as
the scale and attribute of the information and communication
system of the government agency and specific non-
government agency. The relevant regulations regard the
baseline for responsibility levels, application for a change in
the level, content of obligation, staffing of dedicated
personnel and other regulations and issues concerned shall be
stipulated by the competent authority.
The competent authority may audit a specific non-

government agency in its implementation of cyber security
maintenance plan, of which the frequency, content, method
and other issues concerned shall be stipulated by the
competent authority.
A specific non-government agency is audited as per

preceding Paragraph, and found defective or needing
improvement in the cyber security maintenance program, it
shall submit the improvement report to the competent
5
authority and tothe central authority in charge of relevant
industry.
Article 8 The competent authority shall set up the cyber security

information sharing mechanism.
Regulation regarding analysis, integration, and the sharing of

content, procedure and method, and other matters of the cyber
security information in the preceding Paragraph shall be
Article 9 A government agency or specific non-government agency

outsources for setup, maintenance of the cyber security
system, or for provision of cyber security services, such
government agency or specific non-government agency shall,
within the realm of this Act, take into account outsourced
party’s professional capability and hands-on experience, as
well as attribute of the outsourced item and requirement of
cyber security, select the appropriate party for outsourcing
and oversee its cyber security maintenance service.
Chapter 2 Government Agency Cyber Security Management
Article 10 A government agency shall satisfy the requirements of the

cyber security responsibility level, and take into account the
category, quantity and attribute of the information reserved or
processed, along with the scale and attribute of the
information and communication system, to stipulate, amend
and implement the cyber security maintenance plan.
6
Article 11 A government agency shall staff the position of Cyber
Security Officer, which to be concurrently served by the
deputy head or other appropriate personnel as designated by
the agency head. The Cyber Security Officer shall assume the
responsibility to carry out and oversee the cyber security
business of the agency.
Article 12 A government agency shall submit to the superior or

supervisory authority about the implementation of the cyber
security maintenance plan annually. Without such superior
authority, the implementation report of the cyber security
maintenance program shall be submitted to the competent
authority.
Article 13 A government agency shall audit the subordinate authority

under its supervision about the implementation of the cyber
security maintenance plan.
When an agency is audited and found defective or needing

improvement in the cyber security maintenance plan, it shall
submit the improvement report to the auditing agency and the
superior or the supervisory authority.
Article 14 To cope with cyber security incident, a government agency

shall stipulate the reporting and responding mechanism.
When privy to a cyber security incident, the government

agency shall report to the superior or supervisory authority as
well as tothe competent authority. Without such superior
7
authority, the government agency shall report to the
A government agency shall file a report on the investigation,

handling and improvement on the cyber security incident,
and shall submit the report to the superior or supervisory
authority as well as the competent authority. Without a
superior authority, the government agency shall submit to
the competent authority.
Regulations regarding the essentials of the reporting and

responding mechanism, content of notification, submittal of
report and other matters in the three preceding Paragraphs
shall be stipulated by the competent authority.
Article 15 Personnel with proven performance in cyber security

maintenance, a government agency shall present incentive
award.
Regulations for such incentive award in the preceding

Paragraph shall be stipulated by the competent authority.
Chapter 3 Specific Non-Government Agency Cyber Security

Management
Article 16 The central authority in charge of relevant industry shall,

after consulting with the relevant government agency, civil
associations, scholars and experts for their opinions,
designate the critical infrastructure provider and submit to
the competent authority for approval, while notifying the
approved provider in writing.
8
A critical infrastructure provider shall satisfy the
requirements of the cyber security responsibility level, and
take into account the category, quantity and attribute of the
information reserved or processed, along with the scale and
attribute of the information and communication system, to
stipulate, amend and implement the cyber security
maintenance plan.
A critical infrastructure provider shall submit to the central

authority in charge of relevant industry about the
implementation of the cyber security maintenance plan.
The central authority in charge of relevant industry shall

audit the critical infrastructure provider about the
When a critical infrastructure provider is audited and found

defective or needing improvement in the cyber security
maintenance plan, it shall submit the improvement report to
the central authority in charge of relevant industry.
Regulations regarding the essentials of the cyber security

maintenance plan, and submittal of the implementation,
audit frequency, contents and methods, submittal of the
improvement reports and other matters in Paragraph 2 to
Paragraph 5 shall be drafted by the central authority in
charge of relevant industry, and submit to the competent
authority for approval.
9
Article 17 A specific non-government agency other than critical
infrastructure provider, shall satisfy the requirements of the
cyber security responsibility level, and take into account the
category, quantity and attribute of the information reserved
or processed, along with the scale and attribute of the
information and communication system, to stipulate, amend
and implement the cyber security maintenance plan.
The central authority in charge of relevant industry may

request the specific non-government agency under their
charge mentioned in the preceding Paragraph, to submit a
report about implementation of the cyber security
maintenance plan.
The central authority in charge of relevant industry may

audit the specific non-government agency under their charge
mentioned in the Paragraph 1 regarding their
When found defective or needing improvement in the cyber
security maintenance plan, the audited specific non-
government agency shall be required to submit an
improvement report before a specified date.
Regulations regarding the essentials of the cyber security

maintenance plan, and submittal of the implementation,
audit frequency, contents and methods, submittal of the
improvement reports and other matters in preceding three
Paragraphs shall be drafted by the central authority in charge
10
of relevant industry, and submit to the competent authority
for approval.
Article 18 To cope with cyber security incident, a specific non-

government agency shall stipulate the reporting and
responding mechanism.
When privy to a cyber security incident, a specific non-

government agency shall report to the central authority in
charge of relevant industry.
A specific non-government agency shall file a report on the

investigation, handling and improvement on the cyber
security incident and shall submit the report to the central
authority in charge of relevant industry. In case of a severe
cyber security incident, it shall further notify the competent
authority.
Regulations regarding the essentials of the reporting and

responding mechanism, content of notification, submittal of
report and other matters in the three preceding Paragraphs
When privy to asevere cyber security incident, the

competent authority or the central authority in charge of
relevant industry may, in a timely manner, promulgate the
essential contents of the incident and coping measures and
render relevant support.
Chapter 4 Penalties
11
Article 19 Personnel of a government agency shall be subject to
discipline or penalty in accordance with the relevant
regulations if failing to comply with the regulation of the Act.
Regulations for such penalty in the preceding Paragraph

Article 20 If aspecific non-government agency has one among those

enumerated below transpired, the central authority in charge
of relevant industry shall order it to complete corrective
actions within the specified time limit. If it fails to complete
corrective actions within the specified time limit, it shall be
subject to a fine ranging from NT$100,000 as the minimum
to NT$1,000,000 as the maximum for each offense:
1. If it fails to stipulate, amend or implementthe cyber

security maintenance planin accordance with Paragraph
2 of Article 16 or Paragraph 1 of Article 17, orviolates
the essential items in the cyber security maintenance plan
under Paragraph 6 of Article 16 or Paragraph 4 of Article
17.
2. If it fails to submit the report on implementation of the

cyber security maintenance plan to the central authority
in charge of relevant industry in accordance with
Paragraph 3 of Article 16 or Paragraph 2 of Article 17,
or fails the requirements with the submittal of the
implementation of the cyber security maintenance plan
12
stipulated under Paragraph 6 of Article 16 or Paragraph
4 of Article 17.
3. If it fails the requirements under Paragraph 3 of Article

7, Paragraph 5 of Article 16 or Paragraph 3 of Article 17,
unable to submit the improvement reports to the
competent authority, the central authority in charge of
relevant industry, or violates the regulation with the
submitting of the improvement report under Paragraph 6
of Article 16 or Paragraph 4 of Article 17.
4. If it fails to stipulate the reporting and responding

mechanism of cyber security incidentin accordance with
Paragraph 1 of Article 18, or violates the essential items
inthe reporting and responding mechanism under
Paragraph 4 of Article 18.
5. If it fails the requirements under Paragraph 3 of Article

18, unable to submit the cyber security investigation,
handling and improvement reports regarding cyber
security incidents to the central authority in charge of
relevant industryor the competent authority, or violate
the regulation with the submitting of thereport under
Paragraph 4 of Article 18.
6. If it violates the regulation regarding the contents of

notification under Paragraph 4 of Article 18.
Article 21 A specific non-government agency violates the provisions

Paragraph 2 of Article 18, by failing to report a cyber
13
security incident, the central authority in charge of relevant
industry shall impose a fine ranging from NT$300,000 as the
minimum to NT$5,000,000 as the maximum, and shall order
it to complete improvement within a specified time limit. If
it fails to complete such requirement within the specified
time limit, apenalty for each additional offense shall be re-
imposed.
Chapter 5 Supplementary provisions
Article 22 The enforcement rules of the Act shall be stipulated by the

Article 23 The implementation date of the Act shall be stipulated by the

14
II. Enforcement Rules of Cyber Security
Management Act
Promulgated on Novenber 21, 2018
Article 1 These Rules are stipulated in accordance with Article 22 of

the Cyber Security Management Act (hereinafter referred
to as the Act).
Article 2 The term “military agency” as used in Subparagraph 5 of

Article 3 of the Act refers to the Ministry of National
Defense and its subordinate agency (institution), troop,
school; and the term “intelligence agency” as used therein,
refers to the agency specified in Subparagraph 1 of
Paragraph 1 and Paragraph 2 of Article 3 of the National
Intelligence Services Law.
Article 3 In submitting improvement reports under Paragraph 3 of

Article 7, Paragraph 2 of Article 13, Paragraph 5 of Article
16 or Paragraph 3 of Article 17 of the Act, the government
agency or the specific non-government agency (hereinafter
referred to as “each agency”) shall submit the following
contents in response to the audit result of the
implementation of the cyber security maintenance plan,
and shall submit the implementation of the improvement
report in the manner and within the time as designated by
the competent authority, superior or supervisory authority,
the central authority in charge of relevant industry:
1. Flaws or items to be improved.
2. Causes of occurrence.
15
3. Measures in aspects of management, technology,
manpower, or resource to be taken for flaws or items to
be improved.
4. The estimated completion schedules of the measures

under the preceding subparagraph and the tracking
method on implementation progresses.
Article 4 When each agency outsources parties for setup,

maintenance of information and communication system, or
provision of information and communication service
(hereinafter referred to as the “outsourced business”) in
accordance with Article 9 of the Act, attention should be
paid to the following matters for the selection and
supervision of the outsourced party.
1. The procedures and environment of the outsourced

party in conducting outsourced business shall have
completed cyber security management measures or
have passed the verification of third party.
2. The outsourced party shall deploy sufficient and

properly qualified and trained cyber security
professionals who hold cyber security professional
licenses or have similar business experience.
3. Whether the outsourced party can second-tier

subcontract outsourced business’ scopes and objects
that may be second-tier subcontract and the cyber
security maintenance measures that the second-tier
subcontractor should have.
16
4. If the outsourced business involves classified national
security information, the person who conduct the
outsourced business shall be reviewed and the departure
shall be controlled in accordance with the Classified
National Security Information Protection Act.
5. If the outsourced business includes customized

development of information and communication system,
the outsourced party shall provide security testing
certificate of such information and communication
system; if such information and communications
system is the core system of the outsourcing agency, or
the outsourcing amount exceeds NT$10,000,000, the
outsourcing agency shall conduct itself or contract third
party to conduct the security testing; if the use of system
or resource other than those developed by the
outsourced party is involved, content and source of
those not developed by the outsourced party shall be
indicated and the certification of authorization thereof
shall be provided.
6. If the outsourced party conducts outsourced businesses

in violation of the relevant regulatory requirement of
cyber security or becomes aware of cyber security
incident, it shall immediately notify the outsourcing
agency thereof and take remedy measure therefor.
7. If the entrusting relationship is terminated or canceled,

it shall be confirmed that the outsourced party has
17
returned, handed over, deleted or destroyed all materials
in its possession for the performance of the contract.
8. The outsourced party shall take other relevant measure

for cyber security.
9. The outsourcing agency shall, periodically, or whenever

it becomes aware of the occurrence of cyber security
incident of the outsourced party that might affect the
outsourced business, confirm the implementation status
of the outsourced business by audit or other appropriate
method.
In conducting the competency audit under Subparagraph 4

of the preceding paragraph, the outsourcing agency shall
take into consideration the confidential level and content of
the classified national security information in which the
outsourced business is involved, and shall, to the necessary
extent, check whether the personnel of the outsourced party
who performs such business or other personnel who might
access such classified national security information has any
of the following circumstances:
1. One who had committed the offense of disclosing secret,

or had committed the offense of civil disturbance or
treason after the termination of the Period of National
Mobilization in Suppression of Communist Rebellion,
and was finally convicted, or was put on a wanted list
which has not been closed.
2. One who was aformer public official, was subject to

18
administrative penalty or demerit record due to a
violation of relevant regulatory for security
confidentiality.
3. One who was induced or coerced by foreign

government, mainland China, Hong Kong or Macau
government to engage in activity unfavorable to
national security or significant interest of the nation.
4. Other concrete item relating to the protection of

classified national security information.
The circumstance under Subparagraph 4 of Paragraph 1

shall be stated in the tender notice, tender document and
contract; before the verification of the competency audit,
the relevant personnel shall agree in writing document.
Article 5 The “inwriting” document under Paragraph 3 of the

preceding article and Paragraph 1 of Article 16 of the Act
may be the electronic one in accordance with the Electronic
Signatures Act.
Article 6 The cyber security maintenance plan under Article 10,

Paragraph 2 of Article 16, and Paragraph 1 of Article 17 of
the Act shall include the following:
1. Core businesses and their significance.
2. Cyber security policy and objectives.
3. The organization promoting cyber security.
4. The deployment of dedicated manpower and fund.

19
5. The deployment of Cyber Security Officer of the
government agency.
6. The inventory of information and information and

communication systems and indicating the core ones
and relevant assets.
7. Risk assessments of cyber security.
8. Protection and control measures for cyber security.
9. The reporting, responding and rehearsal mechanisms

relating to cyber security incidents.
10. Cyber security information assessment and responding

mechanism.
11. Management measures for outsourced information and

communication system or service.
12. Assessment mechanism for personnel of the

government agency who conducts business involving
cyber security matters.
13. The continual improvement and performance

management mechanism for the cyber security
maintenance plan and implementation status.
The implementation of cyber security maintenance plans

submitted by each agency under Article 12, Paragraph 3 of
Article 16, or Paragraph 2 of Article 17 of the Act shall
include the implementation results of and relevant
explanations for those under each subparagraph of the
20
preceding paragraph.
The stipulation, amendment, and implementation of the

cyber security maintenance plans under Paragraph 1, and
the submission of the implementation thereof may be
conducted by the superior or supervisory agency of the
government agency; and in case of a specific non-
government agency, the same may be conducted by its
central authority in charge of relevant industry, the
subordinate government agency of such central authority in
charge of relevant industry, or the specific non-government
agency regulated by the central authority in charge of
relevant industry, with consent of such central authority in
Article 7 The scope of the core businesses specified in Subparagraph

1 of Paragraph 1 of the preceding article are as follows:
1. Businesses that are considered as the core

accountabilities of the government agency as
determined by its organizational regulation.
2. Major services or functions of government-owned

enterprise and government-endowed foundation.
3. Businesses that are required by each agency for the

maintenance and provision of critical infrastructure.
4. Businesses in which each agency is involved in

accordance with Paragraphs 1 to 5 of Article 4, or
Paragraphs 1 to 4 of Article 5 of the Regulations on
21
Classification of Cyber Security Responsibility Levels.
The term “core information and communication system” as

used in Subparagraph 6 of Paragraph 1 of the preceding
article refers to the system that is necessary for supporting
the continual operation of core business, or that is of high
level of defense requirements as determined in accordance
with Schedule 9 to the Regulations on Classification of
Cyber Security Responsibility Levels – principles of
classification of cyber system defense requirement levels.
Article 8 The investigation, handling and improvement report on

cyber security incident under Paragraph 3 of Article 14 and
Paragraph 3 of Article 18 of the Act shall include the
following:
1. Times of the occurrences of or the awareness of the

occurrences of the incidents, the completion of damage
control or recovery operations.
2. The scope affected by the incidents and the damage

assessment.
3. The courses of damage control and recovery operations.
4. The courses of incident investigations and handling

operations.
5. Cause analysis of the incident.

manpower or resources taken to prevent the
reoccurrences of similar incident.
22
7. The estimated completion schedule and the follow-up
mechanism of the measures under the preceding
subparagraph.
Article 9 Before designating critical infrastructure providers under

Paragraph 1 of Article 16 of the Act, the central authority
in charge of relevant industry shall give such providers the
opportunity to state their opinions.
Article 10 The term “severe cyber security incident” as used in

Paragraphs 3 and 5 of Article 18 of the Act refer to level-3
and level-4 cyber security incidents specified in Paragraphs
4 and 5 of Article 2 of the Regulations on the Notification
and Response of Cyber Security Incidents.
Article 11 When the competent authority or the central authority in

charge of relevant industry is privy to a cyber security
incident and publicize the necessary contents and
countermeasures relating to severe cyber security incidents
under Paragraph 5 of Article 18 of the Act, upon awareness
of such incidents, times of occurrence or privy of the
occurrence, causes, affection degree, control status, and
subsequent improvement measures of such incidents shall
be stated in the publications.
Under any of the following circumstances, the necessary

contents and contingency measures relating to the incidents
under the preceding paragraph shall not be publicized:
1. If it involves trade secrets or information relating to

business operations of individuals, juristic persons or
23
organizations or if the disclosure might infringe upon
rights or other rightful interests of the government
agency, individual, juristic person or organizations;
except as is otherwise required by law, or necessary for
public welfare or necessary for protection of life, body,
and health of people, or with consent of the parties
concerned.
2. Other circumstances of confidentiality, restriction, or

prohibition on disclosure as required by law.
If the necessary contents and contingency measure relating

to the incidents shall not be publicized under Paragraph 1,
only the other portion may be publicized.
Article 12 If businesses of the specific non-government agency

involve the accountabilities of several central authority in
charge of relevant industry, the competent authority may
designate via coordination more than one central authority
in charge of relevant industry to solely or jointly conduct
the matters to be conducted by the central authority in
charge of relevant industry under the Act.
Article 13 The implementation date of the Rules shall be stipulated by

24
III. Regulations on Classification of Cyber
Security Responsibility Levels
1. Promulgated on Novenber 21, 2018
2. Amendment promulgated on 26 August 2019
Article 1 These Regulations are stipulated according to Paragraph 1

of Article 7 of the Cyber Security Management Act
(hereinafter referred to as “the Act”).
Article 2 The cyber security responsibility levels of the government

agency or specific non-government agency(hereinafter
referred to as “each agency”) are classified from high to
low into Level-A, Level-B, Level-C, Level-D and Level-E.
Article 3 The competent authority shall approve its own cyber

security responsibility levels every two years.
The agencies directly subordinate to the Executive Yuan

shall, every two years, propose the cyber security
responsibility levels of their own, their subordinate or
supervisory government agencies, and their regulated
specific non-government agencies, and shall report the
same to the competent authority for approval.
Special municipalities, county (city) governments shall,

every two years, propose the cyber security responsibility
levels of their own, their subordinate or supervisory
government agencies, and their governed village
(township/city), mountain indigenous district offices of
special municipalities, and the subordinate or supervisory
25
government agencies of such governed village
(township/city) and mountain indigenous district offices of
special municipalities, and shall report the same to the
competent authority for approval.
Special municipalities and county (city) councils, village

(township/city) councils, and Mountain Indigenous
Districts of Special Municipalities councils shall, every two
years, submit their own cyber security responsibility levels,
which shall be compiled and submitted by the special
municipalities and county (city) governments where they
are located to the competent authority for approval.
The Presidential Office, the National Security Council, the

Legislative Yuan, the Judicial Yuan, the Examination Yuan,
and the Control Yuan shall, every two years, approve the
cyber security responsibility levels of their own, their
subordinate or supervisory government agencies, and their
regulated specific non-government agencies, and shall
submit the same to the competent authority for recordation.
If each agency is required to change its cyber security

responsibility levels due to adjustments to organizations or
businesses, it shall immediately conduct the change to
levels according to the procedures under the preceding five
paragraphs; the same shall apply to the case when a new
agency is established.
In conducting the submission or approval of cyber security

responsibility levels under Paragraph 1 to Paragraph 5, if
26
the government agency thinks it is necessary to otherwise
give the entities within the government agency or the
specific non-government agency the levels that are
different from those of such agency, it may determine such
levels in accordance with the requirements of Article 4 to
Article 10, by taking into consideration the nature of
businesses of such entities.
Article 4 The cyber security responsibility levels of each agency

under any of the following circumstances are Level-A:
1. Its business involves classified national security

information.
2. Its business involves matters of foreign affairs,

national defense, or homeland security.
3. Its business involves the maintenance operation of

cyber security systems commonly used for nationwide
people services or cross agencies.
4. Its business involves the possession of personal

information of nationwide people or public officials.
5. It is a government agency, and its business involves

matters of nationwide energy, water resources,
telecommunications, transportation, banking &
finance, or emergent rescues.
6. It is a critical infrastructure provider, and the central

government level authority in charge of the subject
industry, based on the consideration of the number of
27
users, market share, the area and the substitutability of
its business or maintenance operation of critical
infrastructures and services, considers that the failures
of or impact on its cyber security system might cause
disasters or extremely serious impact on social public
interests, people’s morale, or the security of people’s
lives, body or property.
7. It is a government medical center.

under any of the following circumstances are Level-B.
1. Its business involves the security maintenance and

management of sensitively scientific technology
information that is donated, researched, or developed
by the government agency.

cyber systems that are commonly used for regional or
local people services or cross agencies.
3. Its business involves the possession of the archives of

personal information of regional or local people.

information and communication systems that are
commonly used for the central secondary authority and
its subordinate government agencies (institutions).
5. It is a critical infrastructure provider, and the central

government level authority in charge of the subject
28
industry, based on consideration of the number of users,
market share, the area and the substitutability of its
business, or the maintenance operation of critical
infrastructure and services, considers that the failure of
or impacts on its cyber security systems might cause
serious impact on social public interest, people’s
morale, or the security of people’s lives, body or
properties.
6. It is a public regional hospital or local hospital.
Article 6 The cyber security responsibility levels of each agency who

maintains and operates by itself or outsources the
development of cyber systems are Level-C.
Article 7 The cyber security responsibility levels of each agent who

conducts cyber business by itself but does not maintain and
operate the cyber systems that are developed by itself or
outsourced for the development thereof are Level-D.

under any of the following circumstances are Level-E:
1. It neither has cyber systems, nor provides the cyber

service.
2. It is a government agency, and all its information and

communication business is conducted concurrently or
managed by its superior agency, supervisory agency or
the agency designated by the agencies mentioned
above.
29
3. It is a specific non-government agency, and all of its
information and communication business is conducted
concurrently or managed by its central authority in
charge of relevant industry, the subordinate
government agency of the central authority in charge
of relevant industry, the specific non-government
agency under their charge by the central authority in
charge of relevant industry, or the funding government
agency.
Article 9 If the cyber security responsibility levels of each agency

conforms to two or above requirements under Article 4 to
the preceding articles, the levels of such agency are
classified as the highest level conforming to such
requirements.

shall be determined in accordance with the preceding six
articles; however, when the government agency submits or
approves the cyber security responsibility levels under
Paragraphs 1 to 5 of Article 3, the levels of each agency
may be adjusted, by taking into consideration the degree of
impact of the following matters on national security, social
public interests, the security of people’s lives, body, or
properties, or the reputation of the government agency:
1. If its business involves foreign affairs, national defense,

homeland security, or its business involves nationwide,
regional or local energy, water resources,
30
telecommunication, transportation, banking & finance,
emergent rescues, and hospitals.
2. If its business involves personal information, official

confidentiality, or other information which should be
confidential by law or by contract - the quantity and
nature of such information, and the unauthorized
access, use, control, breach, damage, tampering,
destruction or other infringement.
3. Depending on different levels of each agency - the

impact on, failure, or interruption of its functions.
4. Other concrete matters relating to the provision,

maintenance operation, size, or nature of cyber
systems.
Article 11 Each agency shall conduct the matters specified in

Schedule 1 to Schedule 8, depending on its cyber security
responsibility levels.
For the information and communication system that is

developed by each agency itself or outsourced for the
development, each agency shall complete the classification
of information and communication system according to the
principles of classification of defense requirements of
information and communication system specified in
Schedule 9, and shall implement control measures
according to the defense standards of information and
communication system specified in Schedule 10; if the
central authority in charge of relevant industry of a specific
31
non-government agency considers it is necessary to
otherwise provide for defense standards of specific types of
the information and communication systems, it may
propose by itself the defense standards and report such
standards to the competent authority for approval, and shall
follow the requirements of such standards, if approved.
In conducting the matters specified in Schedule 1 to

Schedule 8 or implementing control measures specified in
Schedule 10, if each agency has apparent difficulties in
conducting or implementing specific matters or control
measures due to such factors as technical limitation, design,
structure or nature of individual cyber systems, it may, with
consent of each agency submitting its levels under
Paragraph 2 to Paragraph 4 of Article 3 or each agency
approving its levels under Paragraph 5 of the same article,
and upon reporting to the competent authority for
recordation, be exempted from the implementation of such
matters or control measures.
The government agency whose cyber security

responsibility levels are Level-A or Level-B shall report the
implementation status of matters under Paragraph 1 and
Paragraph 2 in the manner designated by the competent
authority.
The central government level authority in charge of the

subject industry may require the specific non-government
agency regulated by it to report the implementation status
32
of matters under Paragraph 1 and Paragraph 2 in the
manner designated by it.
Article 12 The implementation date of the Regulations shall be

The amendments to the Regulations shall take effect on the

date of promulgation.
33
Schedule 1: Matters to be conducted by the government agency of cyber
security responsibility Level-A
System Items Sub-items Contents conducted
aspect conducted conducted
Within one year after receipt of initial
approval or change of levels, the
government agency shall complete the
classification of levels of the cyber system
developed by itself or outsourced
Classification of levels and
according to Schedule 9, and shall
defense standards of the cyber
complete the control measures specified in
system
Schedule 10; subsequently, the
government agency shall inspect the
appropriateness of the classification of
levels of the cyber system at least once a
year.
Within two years after receipt of initial
approval or change of level, the
government agency shall import to all of
its core information and communication
systems the standards - CNS 27001 or ISO
The importation of the
27001 information security management
information security
system, or other systems or standards with
management system and
equal or better effects, or other standards
verification by a impartial third
developed by the government agency
party
Management itself and approved by the competent
aspect authority; within three years of the
completion of impartial third-party
certification, the government agency shall
continually maintain the validity of its
certification.
Dedicated cyber security approval or change of levels, the
personnel government agency shall deploy four
persons on a full-time basis.
Internal cyber security audits Conduct twice a year.
Business sustainable operation Conduct once a year for all core cyber
rehearsals systems.
Cyber governance maturity
Conduct once a year.
assessment
1. Except for business needs and no other
alternatives, it is not allowed to
purchase and use the threatening
Restricted use of threatening
national cyber security products that
national cyber security
are produced, researched, developed,
products
manufactured or provided by the
manufacturers approved by the
34
2. When purchasing or using a
threatening national cyber security
product, it shall specify the reasons
and purchase it on a case-by-case basis
after receiving approval from the
3. For the threatening national cyber
security products that was used before
the amendment to the Regulation took
effect or that was approved by the
competent authority for business
needs and have no other alternatives,
they should be listed for management
and should not be interfaced with the
official network environment.
Detection of
Conduct twice a year for all core cyber
website security
systems.
Security vulnerabilities
detection Testing of
Conduct once a year for all core cyber
system
systems.
penetrations
Inspection of
network
frameworks
Inspection of
malicious cyber
activities
Inspection of
malicious
activities in user
Cyber
terminal
security
Technical computers Conduct once a year.
health
aspect Inspection of
diagnosis
malicious
activities in
servers
Inspection of
settings of
directory servers
and settings of
firewall
connections
Cyber security threat detection
development of threat detection
management mechanisms
mechanisms and shall continue the
maintenance and operation thereof and
submit the monitoring management
35
documentation in the manner designated
by the competent authority.
Within one year of receipt of initial
Government configuration import operation of government
standards configuration standards for the items
publicized by the competent authority and
shall continue the maintenance and
operation thereof.
Anti-virus
software
Network firewalls
If the government
agency has email
servers, it should
have email
filtering
mechanisms Within one year after receipt of approval
Hacking detection or change of levels, the government
Cyber and defense agency shall complete activation of
security mechanisms various cyber security defense measures
defense If the government and continue to use such measures and
agency has core timely conduct the necessary update or
cyber systems for upgrading of software and hardware.
external services,
it should have the
application
firewalls
Defense measures
for advanced
persistent threat
attacks
Each personnel shall receive the cyber
Full-time cyber security professional program training or
security personnel the cyber security competence training for
not less than twelve hours each year.
Cyber
Information security professional program training or
security
personnel other the cyber security competence training for
education
than full-time not less than three hours every two years
Awareness and
cyber security and receive general cyber security
and training training
personnel education training for not less than three
hours each year.
Each year, each person shall receive
General user and
general cyber security education training
officer
for not less than three hours.
Cyber Cyber security Within one year after receipt of initial
security professional approval or change of levels, the full-time
profession licenses cyber security personnel shall hold a total
36
al license of not less than four licenses, and shall
and continually maintain the validity of the
competenc licenses.
e training Within one year after receipt of initial
certificate Cyber security approval or change of levels, the full-time
s competence cyber security personnel shall hold a total
assessment of not less than four certificates, and shall
certificates continually maintain the validity of the
certificates.
Notes:
1. If a cyber system is of the nature of common use, whether it is a core cyber system
or not shall be judged by the agency in charge of the installation, maintenance, and
development of such cyber system.
2. The third party as used in “impartial third-party certification” refers to an agency
commissioned by the competent authority for the certification process in
accordance with the Standards Act of our country.
3. The threatening national cyber security products refer to the Information and
communication systems and services that directly or indirectly harm the operation
of the government or social stability.
4. The full-time cyber security personnel refer to the personnel who should
implement cyber security business full-time.
5. In conducting the “cyber security health diagnosis” of this Schedule, in addition
to implementation of the items, contents and timeframes specified in this Schedule,
the government agency may take other measures which have equal or better effect
as approved by the competent authority.
6. Cyber security professional licenses refer to the cyber security professional
licenses issued by domestic and foreign issuing authorities(entities) recognized by
the competent authorities.
37
Schedule 2: Matters to be conducted by the specific non-government agency
of cyber security responsibility Level-A
Items Sub-items
System aspect Contents conducted
conducted conducted
specific non-government agency shall
complete the classification of levels of
the cyber systems developed by itself
Classification of levels and or outsourced according to Schedule
defense standards of the cyber 9, and shall complete the control
system measures specified in Schedule 10;
subsequently, the specific non-
appropriateness of the classification
of levels of the cyber system at least
once a year.
Within two years after receipt of
initial approval or change of level, the
import to all of its core information
and communication systems the
standards - CNS 27001 or ISO 27001
information security management
system, or other systems or standards
management system and
Management with equal or better effects, or other
aspect standards developed by the specific
party
non-government agency itself and
approved by the competent authority;
within three years of the completion
of impartial third-party certification,
the specific non-government agency
shall continually maintain the validity
of its certification.
personnel specific non-government agency shall
deploy four persons.
Internal cyber security audits Conduct twice a year
Business sustainable operation Conduct once a year for all core cyber
rehearsals systems
1. Except for business needs and no
other alternatives, it is not allowed
to purchase and use the
threatening national cyber
national cyber security products
security products that are
produced, researched, developed,
38
security product, it shall specify
the reasons and purchase it on a
case-by-case basis after receiving
approval from the competent
authority.
security products that was used
before the amendment to the
Regulation took effect or that was
approved by the competent
authority for business needs and
have no other alternatives, they
should be listed for management
and should not be interfaced with
the official network environment.
Detection of
Conduct twice a year for all core
website security
cyber systems
system
systems
penetrations
Inspection of
network
frameworks
Inspection of
malicious cyber
activities
Inspection of
malicious
activities in user
Cyber
Technical aspect terminal
security
computers Conduct once a year
health
Inspection of
diagnosis
malicious
activities in
servers
Inspection of
settings of
directory servers
and settings of
firewall
connection
Cyber security threat detection approval or change of levels, the
management mechanisms specific non-government agency shall
complete the development of threat
39
detection mechanisms and shall
continue the maintenance and
operation thereof.
Anti-virus
software
Network
firewalls
If the specific
non-government
agency has
email servers, it
should have
email filtering
mechanisms
Within one year after receipt of
Hacking
detection and
defense
Cyber complete activation of various cyber
mechanisms
security security defense measures and
If the specific
defense continue to use such measures and
non-government
timely conduct the necessary update
agency has a
or upgrading of software and
core cyber
hardware.
system for
external
services, it
should have the
application
firewalls
Defense
measures for
advanced
persistent threat
attacks
security professional program training
Dedicated cyber
or the cyber security competence
security
training for not less than twelve hours
personnel
each year.
Cyber Each personnel shall receive the cyber

Awareness and security Information security professional program training
training education personnel other or the cyber security competence
and training than dedicated training for not less than three hours
cyber security every two years and receive general
personnel cyber security education training for
not less than three hours each year.
General user and
the general cyber security education
officer
training for not less than three hours
40
Cyber security professional dedicated cyber security personnel
licenses shall hold a total of not less than four
licenses, and shall continually
maintain the validity of the licenses.
Notes:
or not shall be judged by the agency in charge of the installation, maintenance of, and
commissioned by the competent authority for the certification in accordance with the
Standards Act of our country.
communication systems and services that directly or indirectly harm the operation of
the government or social stability.
4. In conducting a “cyber security health diagnosis” of this Schedule, in addition to
implementation of the items, contents and timeframes specified in this Schedule, the
specific non-government agency may take other measures which have equal or better
effect as approved by the central government level authority in charge of the subject
industry.
5. The central government level authority in charge of the subject industry of the
specific non-government agency may, depending on the actual requirements and to
the extent of compliance with these Regulations, otherwise provide for the cyber
security matters to be conducted by its regulated specific non-government agency.
6. Cyber security professional licenses refer to the cyber security professional licenses
issued by domestic and foreign issuing authorities(entities) recognized by the
competent authorities.
41
security responsibility Level-B
System Sub-items
Items conducted Contents conducted
aspect conducted
classification of levels of the cyber
system developed by itself or
Classification of levels and defense outsourced according to Schedule 9,
standards of cyber systems and shall complete the control measures
specified in Schedule 10; subsequently,
the government agency shall inspect the
levels of cyber systems at least once a
year.
government agency shall import to all
of its core information and
communication systems the standards -
CNS 27001 or ISO 27001 information
The importation of the information security management system, or other
security management system and systems or standards with equal or
verification by a impartial third better effects, or other standards
Manageme party developed by the government agency
nt aspect itself and approved by the competent
authority; within three years of the
certification, the government agency
shall continually maintain the validity
of its certification.
Dedicated cyber security personnel
government agency shall deploy two
persons on full-time basis.
Internal cyber security audits Conduct once a year.
Business sustainable operation Conduct once every two years for all
rehearsals core cyber systems.
Cyber governance maturity
assessment
other alternatives, it is not allowed
to purchase and use the threatening
that are produced, researched,
developed, manufactured or
provided by the manufacturers
42
authority.
and purchase it on a case-by-case
basis after receiving approval from
Detection of
website security
systems.
Conduct once every two years for all
system
core cyber systems.
penetrations
Inspection of
network
frameworks
Inspection of
malicious cyber
activities
Inspection of
malicious
activities in user
Technical terminal
Cyber security
aspect computers Conduct once every two years.
health diagnosis
Inspection of
malicious
activities in
servers
Inspection of
settings of
directory servers
and settings of
firewall
connections
Cyber security threat detection
management mechanisms
development of threat detection
43
maintenance and operation thereof and
submit the monitoring management
documentation in the manner
designated by the competent authority.
Within one year of receipt of initial
Government configuration import operation of government
standards configuration standards for the items
publicized by the competent authority
and shall continue the maintenance and
operation thereof.
Anti-virus
software
Network firewalls
If the government
agency has email
servers, it should
have email Within one year after receipt of
filtering approval or change of levels, the
mechanisms government agency shall complete
Cyber security Hacking detection activation of various cyber security
defense and defense defense measures and continue to use
mechanisms such measures and timely conduct the
If the government necessary update or upgrading of
agency has the software and hardware.
core cyber system
for external
services, it should
have the
application
firewalls
security professional program training
Full-time cyber or the cyber security competence
security personnel training for not less than twelve hours
each year.

Cyber security
Awareness Information security professional program training
education and
and training personnel other or the cyber security competence
training
than full-timetraining for not less than three hours
cyber securityevery two years and receive general
personnel cyber security education training for
not less than three hours each year.
Each year, each person shall receive the
General user and
general cyber security education
officer
training for not less than three hours
44
approval or change of levels, the full-
Cyber security
time cyber security personnel shall hold
professional
Cyber security a total of not less than two licenses and
licenses
professional shall continually maintain the validity
license and of the licenses.
competence Within one year after receipt of initial
training Cyber security approval or change of levels, the full-
certificates competence time cyber security personnel shall hold
assessment a total of not less than two licenses and
certificates shall continually maintain the validity
of the licenses.
Notes:
or not shall be judged by the agency in charge of the installation, maintenance of,
or development of such cyber system.
commissioned by the competent authority for the certification in accordance with
the Standards Act of our country.
communication systems and services that directly or indirectly harm the operation
of the government or social stability.
4. The full-time cyber security personnel refer to the personnel who should implement
cyber security business in full-time.
implementation of the items, contents and timeframes specified in this Schedule,
the government agency may take other measures which have equal or better effect
as approved by the competent authority.
45
of cyber security responsibility Level-B
System Items Sub-items
Contents conducted
approval or change of levels, the specific
non-government agency shall complete
the classification of levels of the cyber
systems developed by itself or outsourced
according to Schedule 9, and shall
complete the control measures specified
system
in Schedule 10; subsequently, the specific
non-government agency shall inspect the
levels of cyber systems at least once a
year.
approval or change of level, the specific
non-government agency shall import to
all of its core information and
The importation of the CNS 27001 or ISO 27001 information
information security security management system, or other
management system and systems or standards with equal or better
verification by a impartial third effects, or other standards developed by
party the specific non-government agency
Management
itself and approved by the competent
aspect
authority; within three years of the
certification, the specific non-
government agency shall continually
maintain the validity of its certification.
Dedicated cyber security approval or change of levels, the specific
personnel non-government agency shall deploy two
persons.
Internal cyber security audits Conduct once a year.
Business sustainable operation Conduct once every two years for all core
rehearsals cyber systems.
other alternatives, it is not allowed to
Restricted use of threatening are produced, researched, developed,
national cyber security products manufactured or provided by the
46
approved by the competent authority
for business needs and have no other
alternatives, they should be listed for
management and should not be
interfaced with the official network
environment.
Detection of
website security
Security systems.
vulnerabilities
detection
Testing of system Conduct once every two years for all core
penetrations cyber systems.
Inspection of
network
frameworks
Inspection of
malicious cyber
activities
Inspection of
malicious
activities in user
Cyber
terminal
security
computers Conduct once every two years.
health
Inspection of
diagnosis
Technical malicious
aspect activities in
servers
Inspection of
settings of
directory servers
and settings of
firewall
connections
Cyber security threat detection non-government agency shall complete
management mechanisms the development of threat detection
maintenance and operation thereof.
Anti-virus Within one year after receipt of approval
Cyber
software or change of levels, the specific non-
security
Network government agency shall complete
defense
firewalls activation of various cyber security
47
If the specific defense measures and continue to use
non-government such measures and timely conduct the
agency has email necessary update or upgrading of
servers, it should software and hardware.
have email
filtering
mechanisms
Hacking
detection and
defense
mechanisms
If the specific
non-government
agency has the
core cyber system
for external
services, it should
have the
application
firewalls
Dedicated cyber security professional program training or
security the cyber security competence training
personnel for not less than twelve hours each year.

security Information security professional program training or
education personnel other
the cyber security competence training
and than dedicated
for not less than three hours every two
training cyber security
years and receive general cyber security
Awareness
and training
hours each year.
General user and
officer
Cyber security professional dedicated cyber security personnel shall
licenses hold a total of not less than two licenses,
and shall continually maintain the
validity of the licenses.
Notes:
or not shall be judged by the agency in charge of the installation, maintenance of, or
commissioned by the competent authority for the certification in accordance with the
Standards Act of our country.
48
industry.
specific non-government agency may, depending on actual requirements and to the
extent of compliance with requirements of these Regulations, otherwise provide for
the cyber security matters to be conducted by its regulated specific non-government
agency.
49
security responsibility Level-C
Items Sub-items
conducted conducted
classification of levels of the cyber
according to Schedule 9; subsequently, the
system
levels of cyber systems at least once a year.
If the system levels are “high”, the
government agency shall, within two years
of receipt of initial approval or change of
levels, complete the control measures
specified in Schedule 10.
government agency shall import to all of
its core information and communication
systems the standards - CNS 27001 or ISO
27001 information security management
system, or other systems or standards with
management system
equal or better effects, or other standards
Management
developed by the government agency itself
aspect
and approved by the competent authority,
importation thereof.
personnel government agency shall deploy one
person on a full-time basis.
Internal cyber security audits Conduct once every two years.
Business sustainable Conduct once every two years for all core
operation rehearsal information and communication systems.
1. Except for business needs and no other
alternatives, it is not allowed to
are produced, researched, developed,
national cyber security
products
product, it shall specify the reasons and
purchase it on a case-by-case basis
50
after receiving approval from the
security products that was used before
the amendment to the Regulation took
effect or that was approved by the
competent authority for business needs
and have no other alternatives, they
should be listed for management and
should not be interfaced with the
official network environment.
Detection of
website Conduct once every two years for all core
security cyber systems.
Security
vulnerabilities
detection
Testing of
Conduct once every two years for all core
system
cyber systems.
penetrations
Inspection of
network
frameworks
Inspection of
malicious
cyber activities
Inspection of
malicious
activities in
Cyber user terminal
security computers
Conduct once every two years.
Technical health Inspection of
aspect diagnosis malicious
activities in
servers
Inspection of
settings of
directory
servers and
settings of
firewall
connections
Anti-virus
software Within one year after receipt of approval or
Network change of levels, the government agency
Cyber firewalls shall complete activation of various cyber
security If the security defense measures and continue to
defense government use such measures and timely conduct the
agency has necessary update or upgrading of software
email servers, and hardware.
it should have
51
email filtering
mechanisms
Full-time security professional program training or
cyber security the cyber security competence training for
personnel not less than twelve hours each year.

Cyber Information
security professional program training or
security personnel
the cyber security competence training for
education other than full-
not less than three hours every two years
and training time cyber
and receive general cyber security
security
education training for not less than three
personnel
hours each year.
Awareness and
training General user
and officer
The full-time cyber security personnel
Cyber security
shall hold a total of not less than one
Cyber professional
license, and shall continually maintain the
security license
validity of licenses.
professional
license and
Cyber security approval or change of levels, the full-time
competence
competence cyber security personnel shall hold a total
training
assessment of not less than one license, and shall
certificates
certificates continually maintain the validity of the
license.
Notes:
1. If the nature of the information and communication system is a shared one, whether
it belonged to the core one, it shall be judged by the agency in charge of the
installation, maintenance or development of such information and communication
system.
3. The full-time cyber security personnel refer to the personnel who should implement
cyber security businesses in full-time.
4. In conducting “cyber security health diagnosis” of this Schedule, in addition to
government agency may take other measures which have equal or better effects as
approved by the competent authority.
5. Cyber security professional license refer to the cyber security professional license
issued by domestic and foreign issuing authority(entity) recognized by the competent
authority.
52
of cyber security responsibility Level-C
Contents conducted
non-government agency shall complete
the classification of levels of the cyber
according to Schedule 9; subsequently,
Classification of levels and the specific non-government agency shall
defense standards of cyber inspect the appropriateness of the
systems classification of levels of cyber systems
at least once a year. If the system levels
are “high”, the specific non-government
agency shall, within two years of receipt
of initial approval or change of levels,
complete the control measures specified
in Schedule 10.
approval or change of level, the specific
non-government agency shall import to
all of its core information and
The importation of the CNS 27001 or ISO 27001 information
information security security management system, or other
Management
management system systems or standards with equal or better
aspect
effects, or other standards developed by
the specific non-government agency
itself and approved by the competent
authority, and shall continually maintain
the importation thereof.
Dedicated cyber security approval or change of levels, the specific
personnel non-government agency shall deploy one
person.
Internal cyber security audits Conduct once every two years.
Business sustainable operation Conduct once every two years for all core
rehearsal information and communication systems.
other alternatives, it is not allowed to
Restricted use of threatening are produced, researched, developed,
national cyber security products manufactured or provided by the
53
approved by the competent authority
for business needs and have no other
alternatives, they should be listed for
interfaced with the official network
environment.
Detection of
Conduct once every two years for all core
website security
Security cyber systems.
vulnerabilities
detection
Testing of system Conduct once every two years for all core
penetrations cyber systems.
Inspection of
network
frameworks
Inspection of
malicious cyber
activities
Inspection of
malicious
activities in user
Cyber
terminal
security
computers Conduct once every two years.
health
Inspection of
Technical diagnosis
malicious
aspect
activities in
servers
Inspection of
settings of
directory servers
and settings of
firewall
connections
Anti-virus
Within one year after receipt of approval
software
or change of levels, the specific non-
Network
government agency shall complete
Cyber firewalls
activation of various cyber security
security If the specific
defense measures and continue to use
defense non-government
such measures and timely conduct the
agency has email
necessary update or upgrading of
servers, it should
software and hardware.
have email
54
filtering
mechanisms
Dedicated cyber security professional program training or
security the cyber security competence training
personnel for not less than twelve hours each year.

security Information security professional program training or
education personnel other the cyber security competence training
and than dedicated for not less than three hours every two
training cyber security years and receive general cyber security
Awareness
and training
hours each year.
General user and
officer
Cyber security professional dedicated cyber security personnel shall
licenses hold a total of not less than one license,
validity of the license.
Notes:
or not shall be judged by the agency in charge of the installation, maintenance of, or
3. In conducting “cyber security health diagnosis” of this Schedule, in addition to
industry.
specific non-government agency may, depending on actual requirements and to the
extent of compliance with requirements of these Regulations, otherwise provide for
the cyber security matters to be conducted by its regulated specific non-government
agency.
55
Schedule 7: Matters to be conducted by each agency of cyber security
responsibility Level-D
System Items
Sub-items conducted Contents conducted
aspect conducted
1. Except for business needs and
no other alternatives, it is not
allowed to purchase and use
the threatening national cyber
produced, researched,
authority.
security product, it shall
specify the reasons and
Manageme Restricted use of threatening national
purchase it on a case-by-case
nt aspect cyber security products
basis after receiving approval
from the competent authority.
3. For the threatening national
cyber security products that
was used before the
amendment to the Regulation
took effect or that was
authority for business needs
and have no other alternatives,
they should be listed for
interfaced with the official
network environment.
Anti-virus software Within one year after receipt of
approval or change of levels, each
Network firewalls agency shall complete activation
Cyber
Technical of various cyber security defense
security If each agency has email
aspect measures and continue to use such
defense servers, it should have measures and timely conduct the
email filtering necessary update or upgrading of
mechanisms software and hardware.
Each year, each person shall
Cyber
Awareness security General users and receive general cyber security
and training education officers education training for not less than
and training
three hours.
Note: The central government level authority in charge of the subject industry of the specific
non-government agency may, depending on actual requirements and to the extent of
56
compliance with requirements of these Regulations, otherwise provide for the cyber
57
Schedule 8: Matters to be conducted by each agency of cyber security
responsibility Level-E
System Items
aspect conducted
1. Except for business needs and
no other alternatives, it is not
allowed to purchase and use the
produced, researched,
authority.
security product, it shall specify
the reasons and purchase it on a
Management Restricted use of threatening national
case-by-case basis after
aspect cyber security products
receiving approval from the
3. For the threatening national
cyber security products that was
used before the amendment to
the Regulation took effect or
that was approved by the
competent authority for
business needs and have no
other alternatives, they should
be listed for management and
should not be interfaced with
the official network
environment.
Cyber
Awareness security General users and general cyber security education
and training education officers training for not less than three
and training
hours.
Note: The central government level authority in charge of the subject industry of the specific
non-government agency may, depending on actual requirements and to the extent of
compliance with requirements of these Regulations, otherwise provide for the cyber
58
Schedule 9: Principles of classification of levels of defense requirements of
cyber system
Defense
requirements
Levels High Medium Common
Dimension
The occurrence of cyber The occurrence of cyber The occurrence of cyber
security incidents security incidents security incidents
resulting in impact on resulting in impact on the resulting in impact on the
the cyber system might cyber system might cause cyber system might cause
cause unauthorized unauthorized disclosure unauthorized disclosure
disclosure of of information, leading to of information, leading to
Confidentiality
information, leading to serious impact on the limited impact on the
very serious or operation, assets or operation, assets or
disastrous impact on the reputation of the reputation of the
operation, assets or agencies. agencies.
reputation of the
agencies.
security incidents security incidents
security incidents
resulting in impact on the resulting in impact on the
resulting in impact on cyber systems might cyber systems might
the cyber systems might cause errors or tampering cause errors or tampering
cause errors or of information, leading to of information, leading to
serious impact on the limit impact on the
tampering of operation, assets or operation, assets or
Integrity
information, leading to reputation of the reputation of the
very serious or agencies. agencies.
disastrous impact on the
operation, assets or
reputation of the
agencies.
security incidents security incidents security incidents
resulting in impact on resulting in impact on the resulting in impact on the
the cyber systems might cyber systems might cyber systems might
cause the interruption of cause the interruption of cause the interruption of
access to or use of the access to or use of the access to or use of the
Availability
information and cyber information and cyber information and cyber
systems, leading to very systems, leading to systems, leading to
serious or disastrous serious impact on the limited impact on the
impact on the operation, operation, assets or operation, assets or
assets or reputation of reputation of the reputation of the
the agencies. agencies. agencies.
Regulatory The failure to strictly The failure to strictly Other status of
compliance comply with regulatory comply with regulatory installation or operation
requirements relating to requirements relating to of cyber systems under
59
the installation or the installation or relevant regulatory
operation of cyber operation of cyber requirements.
systems involving cyber systems involving cyber
security might cause security might cause
impact on the cyber impact on the cyber
systems, leading to systems, leading to cyber
cyber security incidents, security incidents, or
or impact on the impact on the legitimate
legitimate rights and rights and interests of
interests of others or the others or the impartiality
impartiality and and justifiability of the
justifiability of the agencies in the
agencies in the performance of business,
performance of and cause the agencies or
business, and cause the their personnel to be
personnel of the subject to administrative
agencies to be subject to punishments, discipline,
criminal liability. or penalties.
Note: The defense requirement levels of the cyber system shall be the highest ones as determined in
any of the dimensions of confidentiality, integrity, availability and regulatory compliance
relating to such systems.
60
Schedule 10: Defense standards of cyber systems
Defense requirements of systems
Levels
Control measures High Medium Common
Contents of the
Dimension
measures
0. When the 1. Temporary or Establish account
expected idle emergent management
time accounts mechanisms,
prescribed by which have including procedures
the agencies or expired should for application,
usable time is be deleted or activation, suspension,
exceeded, the blocked. and deletion.
system should 2. Idle accounts
automatically of cyber
logout the systems should
users. be blocked.
1. Use the cyber 3. Periodically
system review the
according to establishment,
the revision,
Account circumstances activation,
management and conditions prohibition,
prescribed by and deletion of
the agencies. accounts of
2. Monitor the cyber systems.
cyber system 4. All control
Access control accounts; measures for
report to the the level of
administrator “common”.
if any
abnormal use
by an account
is found
3. All control
measures for
the level of
“medium”.
The principle of least privilege is adopted. No requirement
The users(or the procures for acts on
behalf of users)are granted authorized
Least privilege
access required for the completion of
duties only, depending on the duties and
business functions of the agencies .
9. Any remote connection with the For each kind of
cyber system should be monitored. permitted remote
Remote access
10. The cyber system should adopt access, authorization
encryption mechanisms. should be obtained in
61
11. The source of remote access to the advance; the use
cyber system should be the access restriction,
control point as pre-defined and configuration
managed by the agencies. requirement,
12. All control measures for the level of connection
“common”. requirement, and
documentation should
be established; and the
inspection operation of
users’ privileges
should be completed at
the server terminal.
5. Audit events should be reviewed 1. Retain audit
periodically. records according
6. All control measures for the level of to the prescribed
“common”. time cycle and
the policies of
record retention.
Assure that the
cyber system has
the function of
audit of specific
Audit events events, and
determine the
specific cyber
system incidents
to be audited.
2. Should audit
various functions
Audits and executed by the
accountabilities administrator
account of the
cyber system.
1. Audit records generated by the cyber Audit records
systems shall include other relevant generated by the cyber
information as required. system shall include
2. All control measures for the level of the type of incidents,
“common”. date of occurrence,
place of occurrence,
and information about
Contents of
the identification of
audit records
the users relating to the
incidents; single
journal recording
mechanisms should be
adopted to assure the
consistency of the
formats of output.
62
Storage Storage capacity required for the audit records shall be equipped
capacity for the depending on the requirement of the storage of audit records.
audits
1. Upon occurrence of audit failure In case of failure in the
events, which should be reported audit process, the
immediately as required by the cyber systems should
Response to agencies, the cyber systems should take appropriate
failure in audit give warnings to the specific actions.
process personnel within the timeframes
prescribed by the agencies.
2. All control measures for the levels of
“medium” and “common”.
1. The internal clock of the system The cyber systems
should synchronize with the time should use the internal
cycle specified by the agencies and clock of the systems to
the source of standard times. generate time stamps
2. All control measures for the level of required for audit
Time stamp
“common”. records, and such time
and time
stamps should be able
calibration
to correspond to
Universal Time
Coordinated(UTC) or
Greenwich Mean
Time(GMT).
8. Periodically 1. Should use the The access
back up the integrity of management of audit
audit records hashing or other records is limited to
to a physical proper methods users with privileges.
system to assure the
Protection of different mechanisms.
audit from the 2. All control
information original audit measures for the
system. level of
9. All control “common”.
measures for
the level of
“medium”
19. Should take 1. Should 1. Set requirements
the backup periodically test for tolerable time
and restore as the backup of information
a part of the information to loss of the
testing of the verify the system.
business reliability of the 2. Execute the
Business Backup of
continuity backup media system source
continuity plan system
plan. and the integrity codes and the
20. Should store of the data backup.
the important information.
software of 2. All control
the cyber measures for the
system and
63
backup of level of
other security “common”.
related
information
in
independent
facilities or
fire cabinets
at a place
different
from the
operating
systems.
21. All control
measures for
the level of
“medium”.
1. Set requirements for the tolerable No requirement
time from the interruption of cyber
system to the recovery of service.
System rescue 2. When the original service interrupts,
the service is provided by the rescue
equipment in lieu thereof within the
tolerable time.
1. Adopt multiple authentication The cyber system
technologies for the network of should have the
accounts or the access to the host. function of
Identification 2. All control measures for the level of identification and
and “medium” and “common”. authentication of sole
authentication agency users(or the
of internal program to act on
users behalf of agency
users); common
accounts are
prohibited.
Identification 1. Identity verification mechanisms 1. When using the
and should prevent logon by automatic preset password
authentication programs or the trials of change of to login to the
passwords. system, should
2. The password resetting mechanisms immediately
have verified identities of users again, change the
identity
and then send one-time and time- password after
verification
based tokens. logon.
management
3. All control measures for the level of 2. Information
“common”. relating to
identity
verification may
not be transmitted
by plain text.
64
3. Have the account
lockout
mechanism; if the
identity
verification for
account logon
fails three times,
disallow such
account to
continue the trial
of logon for at
least fifteen
minutes, or use
failure
verification
mechanisms built
by the agencies
themselves.
4. The cyber system
with password-
based
authentication
should impose the
least complexity
of passwords;
impose
restrictions on the
shortest and
longest validity of
passwords.
5. When the users
change
passwords, the
passwords may
not be the same as
those used for the
previous three
times.
6. The measures
specified in points
4 and 5 may be
conducted for
non-internal users
according to the
regulations
formulated by the
agencies
themselves.
65
Authentication The cyber system should shield the information in the course of
information authentication.
feedback
When the cyber systems use the passwords No requirement
Encryption
for authentication, such passwords should
module
be encrypted, or stored after hashing
authentication
process.
Identification The cyber systems should identity and authenticate non-internal
or users(or the program of act on behalf of agency users).
authentication
of non-internal
users
Requirement Use the method of checklist to confirm system security
phase of requirements(including confidentiality, availability and integrity).
system
development
life circle
1. Depending on the system functions No requirement
and requirements, identify the threats
Design phase that might impact on the system, to
of system conduct risk analysis and assessment.
development 2. Feedback the risk assessment results
life circle to the screening items of the
requirement phase and submit the
revision of security requirements.
1. Execute “source code scanning” 1. Should practice
security testing. necessary control
2. Have notification mechanisms of measures for the
serious errors of the system. security
3. All control measures for the level of requirements.
Access to
“medium” and “common”. 2. Should pay
systems and
attention to the
services
avoidance of
Development common software
phase of vulnerabilities,
system and practice
development necessary
life circle measures.
3. When errors
occur, the user’s
pages display
short error
message and code
only, without
detailed error
message.
Testing phase 10. Execute “penetration testing” Execute “vulnerability
of system security testing.
scanning” security
development 11. All control measures for the level of
life circle “medium” and “common”. testing.
66
1. In the maintenance operation phase of 1.Under the
system development life circle, deployment
attention should be paid to the version environment,
control and change management. should conduct
Deployment 2. All control measures for the level of update and fixing
and “common”. of relevant cyber
maintenance security threats,
operation and close
phase of unnecessary
system services and
development ports.
life circle 2. Do NOT use
preset passwords
for relevant
software of cyber
systems.
Outsourcing If the development of the cyber system is outsourced, the security
phase of requirements by levels(including confidentiality, availability,
system integrity) for each phase of system development life circle shall be
development included in the outsourcing contract.
life circle
Development, testing, and formal No requirement
Obtaining
operation environments should be
programs
separated.
System Should store the documents relating to the management system
documents development life circle.
10. The cyber system No requirement No requirement
should adopt an
encryption
mechanism, to
prevent any
unauthorized
disclosure of
information or to
detect a change of
information;
unless there are
Protection of confidentiality
substitutive
systems and and integrity of
physical protection
communications transmission
measures in the
course of the
transmission.
11. Use public,
international
institution verified
and not cracked
algorithms.
12. Support the
maximum length
key of algorithms.
67
13. Periodically
change the
encryption key or
certification.
14. Should
formulate
management
regulations on the
custody of the
key at server
terminal, and
implement security
protection
measures that
should exist.
The static information No No requirement.
and the relevant requirement.
Security of confidential information
data storage required for protection
should be encrypted for
the storage.
1. Periodically confirm the status of The vulnerability
fixing of relevant vulnerabilities of fixing of the system
the cyber system. should be tested for the
Vulnerability
2. All control measures for the level of effectiveness and
fixing
“common”. potential impact and
should be updated
periodically.
3. The cyber 4. Monitor the If a sign of hacking to
system cyber system to the cyber system is
should adopt detect any found, should notify
automatic attack or the specific personnel
tools to unauthorized of the agencies
monitor the connection and thereof.
Integrity of
access of to identify the
systems and
communicati unauthorized
information
on flows; if users of the
unusual or cyber system.
Monitoring of
unauthorized 5. All control
cyber system
activities are measures for the
found, level of
conduct an “common”.
analysis of
such
activities.
4. All control
measures for
the level of
“medium”.
68
4. Should 1. Use integrity No requirement
conduct an verification
inspection of tools to detect
the integrity any
of software unauthorized
and change of
information. specific
5. All control software and
measures for information.
the level of 2. The
“medium”. examination of
the legitimacy
of input data of
users should be
The integrity of
placed on the
software and
server terminal
information
of the
application
system.
3. If any violation
to the integrity
is found, the
cyber system
should
implement the
security
protection
measures
designated by
the agencies.
Notes:
1. Static information refers to the information located at the specific elements in cyber systems,
such as the status of being stored in the equipment, or the information relating to the system that
is required for protection, such as the information of contents of setting firewalls, gateways,
hacking detection, defense system, filtering routers, and authentication tokens etc.
2. The central government level authority in charge of the subject industry of the specific non-
government agency may, depending on the actual requirements and to the extent of compliance
with these Regulations, otherwise provide for the cyber system defense standards of its regulated
specific non-government agency.
69
IV. Regulations on the Notification and
Response of Cyber Security Incident
Chapter 1 General Provisions
Article 1 These Regulations are stipulated in accordance with

Paragraph 4 of Article 14 and Paragraph 4 of Article 18 of
the Cyber Security Management Act (hereinafter referred
to as the “Act”).
Article 2 Cyber security incident is classified into four levels.
The cyber security incident occurred to the government

agency or the specific non-government agency (hereinafter
referred to as “each agency”) under any of the following
circumstances is the level-1 cyber security incident:
1. Minor breach of non-core business information.
2. Minor alteration of non-core business information or

non-core information and communication system.
3. Impact on or interruption of non-core business

operation which may be recovered within tolerable
interruption time, resulting in impact on daily operation
of each agency.
The cyber security incident occurred to each agency under

any of the following circumstances is the level-2 cyber
security incident:
70
1. Serious breach of non-core business information or
minor breach of core business information not involving
the maintenance and operation of critical infrastructures.
2. Serious alteration of non-core business information or

non-core information and communication system, or
minor alteration of core business information or core
information and communication system not involving
the maintenance and operation of critical infrastructures.

operation, which cannot be recovered within tolerable
interruption time, or impact on or interruption of core
business or core information and communication
system operation not involving the maintenance and
operation of critical infrastructures, which may be
recovered within tolerable interruption time.

security incident:
1. Serious breach of core business information not

involving the maintenance and operation of critical
infrastructures, or minor breach of confidential,
sensitive information of general official affairs, or
minor breach of core business information involving the
maintenance and operation of critical infrastructures.
2. Serious alteration of core business information or core

information and communication system not involving
71
the maintenance and operation of critical infrastructures,
or minor alteration of confidential, sensitive
information of general official affairs or core business
information or core information and communication
system involving the maintenance and operation of
critical infrastructures.
3. Impact on or interruption of the operation of core

business or core information and communication
system not involving the maintenance and operation of
critical infrastructures, which cannot be recovered
within the tolerable interruption time, or impact on or
interruption of the operation of core business or core
information and communication system involving the
maintenance and operation of critical infrastructures,
which may be recovered within tolerable interruption
time.

security incident:
1. Serious breach of confidential, sensitive information of

general official affairs or core business information
infrastructures, or the breach of classified national
security information.
2. Serious alteration of confidential, sensitive information

of general official affairs or core business information
72
or core information and communication system
infrastructures, or the alteration of classified national
security information.
3. Impact on or interruption of core business or core

information and communication system involving the
maintenance and operation of critical infrastructures,
which cannot be recovered within tolerable interruption
time.
Article 3 Content of the notification of cyber security incident shall

include the following items:
1. The agency occurred.
2. The time of occurrence or awareness.
3. The description of the situation.
4. Level assessment.
5. Coping measure in response to the incident.
6. Assessment of requirement for external support.
7. Other relevant items.
Chapter 2 The notification and response of cyber security

incident of government agency
Article 4 Upon awareness of the cyber security incident, the

government agency shall conduct the notification of the
73
cyber security incident within one hour in the manner and
to the objects as designated by the competent authority.
In case of the change to the level of the cyber security

incident under the preceding paragraph, the government
agency shall continue the notification as provided for in the
When the notification conducted in the manner as specified

in Paragraph 1 is unavailable for some reason, the
government agency shall conduct the notification in
another appropriate manner within the timeframes
prescribed under the same paragraph, and note the cause of
unable notification from being conducted in the required
manner.
After eliminating of the cause of unable notification from

being conducted in the manner as required under Paragraph
1, the government agency shall supplement the notification
in the same manner.
Article 5 After the completion of the notification of the cyber

security incident, the competent authority shall complete
the review of the level of such cyber security incident
within the following timeframes, and may change its level
according to the review results:
1. Within eight hours after receipt of the notification of a

level-1 or level-2 cyber security incident.
74
2. Within two hours after receipt of the notification of a
The Presidential Office, the agencies directly subordinate to

the central first-level agencies, and special municipalities
and county (city) governments shall, after the notification
of the cyber security incident, conducted by themselves,
their subordinate or supervisory government agencies, their
governed villages (townships/cities), mountain indigenous
district offices of special municipalities, and the
subordinate or supervisory government agencies of such
governed villages (townships/cities) and mountain
indigenous district offices of special municipalities, and the
representative councils of the above said villages
(townships/cities) and Mountain Indigenous Districts of
Special Municipalities councils, complete the review of
level of such cyber security incident within the timeframes
as required under the preceding paragraph, and may change
its level according to the review results.
After completion of the required review of the level of the

cyber security incident, the agencies under the preceding
paragraph shall notify the competent authority of the review
results within one hour, and shall provide information
relating to the basis of the reviews.
The Presidential Office, the National Security Council, the

Legislative Yuan, the Judicial Yuan, the Examination Yuan,
the Control Yuan, and special municipalities and county
75
(city) councils shall, after completion of their own
notification of cyber security incident, conduct the review
of the level of such cyber security incident within the
timeframes as specified under Paragraph 1, and shall notify
and provide the competent authority with relevant
information as required under the preceding paragraph.
Upon receipt of the notifications under the preceding two

paragraphs, the competent authority shall further review the
level of the cyber security incident according to the relevant
information, and may change its level according to the
review result. However, if it is deemed necessary, or if the
agencies under Paragraph 2 and the preceding paragraph
fail to notify of the required review results, the competent
authority may directly review such cyber security incident
and may change its level.
Article 6 Upon awareness of the cyber security incident, the

government agency shall complete the damage control or
recovery operation within the following timeframes, and
shall conduct the notification in the manner and to the
objects as designated by the competent authority:
1. Within seventy-two hours of the awareness of a level-1

or level-2 cyber security incident;
2. Within thirty-six hours of the awareness of a level-3 or

level-4 cyber security incident.
After completion of the damage control or recovery

operation under the preceding paragraph, the government
76
agency shall continue the investigation and management of
the cyber security incident, and shall submit the
investigation, management and improvement report within
one month in the manner designated by the competent
authority.
The timeframe of submission of the investigation,

management, and improvement reports under the
preceding paragraph may be extended with the consent of
the superior or supervising agencies and the competent
authority.
If the superior or supervising agencies or the competent

authority deem necessary or deem there is any non-
compliance with the regulatory requirement, improper
matters or other matters to be improved in the investigation,
management, and improvement reports under Paragraph 2,
they may require the government agency to give
explanations and make adjustments.
Article 7 The Presidential Office, the agencies directly subordinate

to central first-level agencies, and the special
municipalities and county (city) governments shall provide
necessary assistance or support in respect of the
notification and response operation of the cyber security
incident implemented by the government agency which is
subordinate to, or supervised or regulated by, or whose
businesses are related to them, if circumstances so require.
77
The competent authority may provide necessary support
and assistance in respect of the response operation of the
cyber security incident implemented by the government
agency, if circumstances so require.
After the government agency becomes aware of a level-3

or level-4 cyber security incident, its Cyber Security
Officer shall convene the meetings to discuss relevant
matters, and may request relevant agencies to provide
assistances.
Article 8 The Presidential Office, the agencies directly subordinate

to central first-level agencies, and the special
municipalities and county (city) governments shall plan
and conduct cyber security exercise for themselves, their
subordinate or supervisory government agencies, their
governed villages (townships/cities), mountain indigenous
district offices of special municipalities, and the
subordinate or supervisory government agencies of such
governed villages (townships/cities) and mountain
indigenous district offices of special municipalities, and the
representative councils of the above said villages
(townships/cities) and Mountain Indigenous Districts of
Special Municipalities councils, and shall submit the
implementation status thereof and the result reports thereon
to the competent authority within one month after the
completion thereof.
78
Content of the exercise operation under the preceding
paragraph shall include the following items at least:
1. Social engineering exercise shall be conducted once

every six months.
2. The notification and response exercise of the cyber

security incident shall be conducted once a year.
The Presidential Office and the central first-level agencies

and special municipalities and county/city councils shall
plan and conduct the cyber security exercise operation
required under the preceding paragraph.
Article 9 The government agency shall stipulate the operational

regulations on the notification of the cyber security incident,
the content of which shall include the following matters:
3. The process and the accountabilities of judgment and

determination of levels of the incident.
4. Assessment of the impact scope and damage degrees of

the incident and the response abilities of the agencies.
5. The process of internal notification on the cyber

security incident.
6. The method and time of notification to other agencies

impacted by the cyber security incident.
7. The exercises under the preceding four paragraphs.
8. The contact window and methods of notification of the

cyber security incident.
79
9. Other matters relating to the cyber security incident.
Article 10 The government agency shall stipulate the operational

regulations on the response of the cyber security incident,
the content of which shall include the following matters:
1. The organization of the response team.
2. The exercise prior to the occurrence of the incident.
3. The mechanism of damage control on the occurrence

of the incident and request for technical support or
other necessary assistance from the central authority in
charge of relevant industry concerned.
4. Recovery, identification, investigation, and

improvement mechanisms after the occurrence of the
incident.
5. The preservations of records relating to the incident.
6. Other matters relating to the response of the cyber

security incident.
Chapter 3 The notification and response of cyber security

incident of the specific non-government agency
Article 11 Upon awareness of the cyber security incident, the specific

non-government agency shall conduct the notification of
the cyber security incident within one hour in the manner
as designated by the central authority in charge of relevant
industry.
80
In case of change to the level of the cyber security incident
under the preceding paragraph, the specific non-
government agency shall continue the notification as
provided for in the preceding paragraph.
If the notification conducted in the manner as specified in

Paragraph 1 is prevented for any cause, the specific non-
government agency shall conduct the notification in
another appropriate manner within the timeframes
prescribed under the same paragraph, and note the cause
for not being able to report by the prescribed manner.
After the elimination of the cause for preventing the

notification from being conducted in the manner as
required under Paragraph 1, the specific non-government
agency shall supplement the notification in the original
manner.
Article 12 After the specific non-government agency has completed

the notifications of cyber security incident, the central
authority in charge of relevant industry shall complete
verification of the level of such cyber security incident
within the following timeframes, and may change its level
according to the verify results:
1. Within eight hours after receipt of the notification of a

2. Within two hours after receipt of notification of a level-

3 or level-4 cyber security incident.
81
After completion of the verification of the cyber security
incident as required under the preceding paragraph, the
central authority in charge of relevant industry shall
proceed with the following requirement:
5. If the verification result indicates a level-1 or level-2

cyber security incident, they shall periodically
summarize the verification result, basis, and other
necessary information, and then submit them to the
competent authority in the manner as specified by the
6. If the verification result indicates a level-3 or level-4

cyber security incident, they shall, within one hour of
the completion of the verification, submit the
verification result, basis, and other necessary
information to the competent authority in the manner
as specified by the competent authority.
Upon receipt of the documentation under the preceding

paragraph, the competent authority may review the level of
the cyber security incident, and may change its level.
Article 13 Upon awareness of the cyber security incident, the specific

non-government agency shall complete damage control or
recovery operation within the following timeframes, and
shall conduct the notification in the manner as designated
by the central authority in charge of relevant industry:
1. Within seventy-two hours of the awareness of a level-

1 or level-2 cyber security incident.
82
2. Within thirty-six hours of the awareness of a level-3 or
level-4 cyber security incident.
After completion of damage control or recovery operation

under the preceding paragraph, the specific non-
government agency shall continue the investigation and
management of the cyber security incident, and shall
submit the investigation, management, and improvement
report within one month in the manner as designated by the
central authority in charge of relevant industry.
The timeframe of submission of the investigation,

management, and improvement report under the preceding
paragraph may be extended with the consent of the central
authority in charge of relevant industry.
If the central authority in charge of relevant industry deems

necessary or deems there is any non-compliance with
regulatory requirement, improper matter or other matter to
be improved in the investigation, management, and
improvement reports under Paragraph 2, they may require
the specific non-government agency to give the explanation
and make adjustment.
Upon review of the investigation, management, and

improvement report on a level-3 or level-4 cyber security
incident submitted by the specific non-government agency,
the central authority in charge of relevant industry shall
submit such report to the competent authority; if the
competent authority deems necessary, or deems there is any
83
non-compliance with regulatory requirement, improper
matter, or other matter to be improved, it may require the
specific non-government agency to give explanation and
make adjustment.
Article 14 The central authority in charge of relevant industry shall

provide necessary support or assistance in respect to the
notification and response of cyber security incident
implemented by the specific non-government agency under
its authority, if circumstances so require.
The competent authority may provide necessary support

and assistance in respect to the notification and response
operation of the cyber security incident implemented by the
specific non-government agency, if circumstances so
require.
After the specific non-government agency becomes aware

of a level-3 or level-4 cyber security incident, it shall
convene meetings to discuss relevant matters.
Article 15 The specific non-government agency shall stipulate the

operational regulations on the notification of the cyber
security incident, the content of which shall include the
following matters:
1. The process and the accountabilities of judgment and

determination of levels of the incident.
2. Assessment of the impact scope and damage degrees of

the incident and the response abilities of the agencies.
84
3. The process of internal notification on the cyber
security incident.
4. The method and time of notification to other agencies

impacted by the cyber security incident.
5. The exercises under the preceding four paragraphs.
6. The contact window and methods of notification of the

7. Other matters relating to the cyber security incident.
Article 16 The specific non-government agency shall stipulate the

operational regulations on the response of the cyber
security incident, the content of which shall include the
following matters:
2. The exercise prior to the occurrence of the incident.
3. The mechanism of damage control on the occurrence of

the incident and request for technical support or other
necessary assistance from the central authority in charge
of relevant industry concerned.

improvement mechanisms after the occurrence of the
incident.
5. The preservations of records relating to the incident.
85
6. Other matters relating to the response of the cyber
security incident.
Chapter 4 Supplementary Provisions
Article 17 For level-3 or level-4 cyber security incident of each

agency, the competent authority may convene meetings and
invite relevant agencies to discuss the damage control,
recovery, and other relevant matters of such incident.
Article 18 The government agency shall cooperate with the competent

authority which shall plan and conduct the cyber security
exercise. The content of exercise may include the following
matters:
1. Social engineering exercise.
2. The notification and response exercise of the cyber

security incident.
3. Cyber offense and defense exercise.
4. Scenario exercise.
5. Other necessary exercise.
Article 22 The specific non-government agency shall, in coordination

with the competent authority, plan and conduct the cyber
security exercise, the content of which may include the
following matters:
2. Scenario exercise.
86
3. Other necessary exercise.
If the cyber security exercise planned and conducted by

the competent authority has imminent threats of
infringement to the rights or legitimate interests of the
specific non-government agency, such exercise may be
conducted only with written consent of such agency.
The written consent under the preceding paragraph may be

made by electronic documents in accordance with the
Electronic Signatures Act.
Article 20 If, before the enforcement of these Regulations, the

government agency has, independently or jointly with
other agencies, formulated the notification and response
mechanism for itself or for its subordinate or supervisory
government agencies or for its regulated specific non-
government agencies, and have enforced such mechanism
for more than one year, and maybe approved by the
competent authority, they and their subordinate or
supervisory government agencies or their regulated
specific non-government agencies may continue to
conduct the notification and response of cyber security
incident according to such mechanism.
In case of change to the notification and response

mechanism under the preceding paragraph, such change
shall be submitted to the competent authority for approval
again.
87
Article 21 The implementation date of the Regulations shall be
88
V. Regulations on Audit of Implementation
of Cyber Security Maintenance Plan of
Specific Non-Government Agency

Paragraph 2 of Article 7 of the Cyber Security Management
Act.
Article 2 These Regulations stipulate “in writing” document may be

an electronic document in accordance with the provisions
of the Electronic Signatures Act.
Article 3 The competent authority shall select and determine the

specific non-government agencies (hereinafter referred to
as the “audited agency”) for each quarter of the year, and
may audit the implementation of their cyber security
maintenance plans through onsite audit every year.
In selecting and determining the audited agencies under the

preceding paragraph, the competent authority shall give
comprehensive consideration to the significance and
confidential sensitivities of its businesses, the size and
nature of their cyber systems, the frequencies and degrees
of occurrence of cyber security incidents, the results of
cyber offense and defense exercise, the frequencies and
results of audits conducted by the competent authority or
the central authority in charge of the relevant industry
over past years, or other factors relating to cyber security.
89
In conducting the audit under Paragraph 1, the competent
authority shall establish the audit program, the content of
which shall include the basis and purposes, time period,
essential fields of the audit, the manner of formation of the
audit team, confidentiality obligation, the method,
standards and items of the audit, and assistance issues from
the central authority in charge of relevant industry.
In determining the essential fields, standards and items of

the audit under the preceding paragraph, the competent
authority shall take into comprehensive consideration the
cyber security policy of our country, domestic and foreign
cyber security trends, the contents and results of past audit
programs, and any other factors relating to the proper
allocation of audit resources or audit effectiveness.
Article 4 In conducting the audit under Paragraph 1of the preceding

article, the competent authority shall deliver the audit
program notice in writing to the audited agency one month
before the audit.
Due to business factor or other justifiable reason, the

audited agency may apply to the competent authority for
adjustment of the audit date within five days of the receipt
of the preceding notice in writing.
The preceding application is limited to one time except for

the case of force majeure.
Article 5 In conducting the audit under Paragraph 1 of Article 3, the

competent authority may require the audited agency to give
90
explanations on, to collaborate the implementation of cyber
security maintenance plan, or provide relevant documents
and supporting information for onsite inspection, and
conduct the following issues. The audited agency and its
personnel shall cooperate accordingly:
1. Pre-audit interview.
2. Onsite physical audit.
The audited agency cannot give the explanations,

collaborate or provide documentation for onsite inspector
under the preceding paragraph for justifiable reasons under
the law, they shall submit the reasons in writing to the
Upon receipt the preceding notice in writing, the competent

authority shall verify it and then take the following actions,
and may suspend all or part of the audit operations:
1. If the reasons are considered justifiable, it shall record

the accordance and relevant information in the audit
report.
2. If the reasons are considered groundless, it shall

require the audited agency to follow the requirements
of Paragraph 1; if the audit operations have been
suspended, it may select other time periods to continue
the audit and deliver the audit program notice in
writing to the audited agency ten days before the audit.
91
competent authority shall form an audit team composed of
three to seven persons respectively for each audited agency,
depending on the considerations under Paragraph 2 of the
same article.
Informing the audit team under the preceding paragraph,

the competent authority shall, taking the needs of the audit
into consideration, invite representatives of government
agencies or experts and scholars who have professional
knowledge of cyber security policies or have professional
knowledge of technologies, managements, law affairs
required for such audit to act as members of such team, of
which the number of representatives of the government
agency may not be less than one-third of all members.
The competent authority shall sign, in writing, with

members of audit teams on recusal due to interest conflicts
and confidentiality obligations.
If the member of audit team under Paragraph 2 has any of

the following circumstances, he shall avoid himself from
acting as the member of that audit team:
1. He, his spouse, his relatives within the third degree, his
family member, or the trustee of the property trusts of
above-mentioned persons have a property or non-
property interest relationship with the audited agency
or the responsible person thereof.
92
2. He, his spouse, his relatives within the third degree or
his family member has employment, contract,
appointment, agency or other similar relationship with
the audited agency or the responsible person in the
current or the past two years.
3. He has served in the current or past two years to be a

consultant of the audited agency and his mentoring
project is related to the audit program.
4. Other circumstance that may be considered that his

role as a member of the audit team might affect the
impartiality of the audit result.
Article 7 The competent authority shall, within one month after the
completion of the audit operations on the audited agency as
designated for each quarter, deliver the audit reports to the
audited agencies for the quarter.
The contents of the preceding audit reports shall include the

scope of the audit, flaws or items to be improved, the status
and reasons for the failures of the audited agency to give
explanations, collaborate or provide documentations for
on-site inspections under Paragraph 2 of Article 5, and the
audit results of the competent authority under Paragraph 3
of the same article, and other necessary contents relating to
the audit.
Article 10 If flaws or items to be improved are found in the

implementation of the cyber security maintenance plan, the
audited agency shall submit improvement report in the
93
manner specified by the competent authority within one
month after the competent authority has delivered the audit
report, and shall deliver the same to the central authority in
charge of the relevant industry. The competent authority
and the central government authority in charge of the
subject industry may require the audited agency to give
explanations or make adjustments when necessary.
After the improvement reports are submitted under the

preceding paragraph, the audited agency shall submit the
implementation status of the improvement reports in the
manner and within the timeframe specified by the
competent authority, and shall deliver the same to the
central authority in charge of the relevant industry. The
competent authority may require the audited agency to give

competent authority may require the central authority in
charge of the relevant industry with the audited agency to
dispatch personnel for necessary assistance.
Article 10 The date for enforcement of these Regulations shall be

decided by the competent authority.
94
VI. Cyber Security Information Sharing
Regulations

Paragraph 2 of Article 8 of the Cyber Security Management
Act (hereinafter referred to as the Act).
Article 2 The term cyber security information (hereinafter referred to

as the Information) as used in these Regulations refers to
the information containing any of the following contents:
1. Malicious detections or collections activity of

information and communication system.
2. Security vulnerabilities of information and

communication system.
3. The methods that invalidate the information and

communication systems security control measure or
make use of the security vulnerability.
4. The information relating to malicious programs.
5. The actual damage or possible negative impact caused

by cyber security incident.
6. Relevant measures that are taken to detect, prevent from

or respond to the circumstances under the preceding
five subparagraphs or to mitigate the damage.
7. Other technical information relating to cyber security

incidents.
95
Article 3 The competent authority shall conduct international
cooperation in the matters of cyber security information
sharing.
The competent authority shall timely conduct cyber

security information sharing with the government agencies.
The government agency shall timely conduct cyber security

information sharing with the competent authority, unless
such information has been shared under the preceding
paragraph or has been disclosed.
The central authority in charge of relevant industry shall

timely conduct cyber security information sharing with the
specific non-government agency under their charge.
The specific non-government agency may conduct cyber

security information sharing with the central authority in
Article 4 The cyber security information under any of the following

circumstances may not be shared:
1. The information involving business secret or relating to

business operation of individual, juristic person or
group, of which the disclosure or provision might
infringe upon right or other legitimate interest of the
government agency, individual, juristic persons or
group; unless it is otherwise provided by law, or
necessary for public welfare, or necessary for the
96
protection of the lives, bodies or health of the people, or
with consent of the party involved.
2. Other circumstances under which cyber security

information should be kept confidential, should be
restricted on or prohibited from disclosure thereof.
Cyber security information containing contents that may

not be shared under the preceding paragraph may be shared
to the extent of other portions only.
Article 5 In conducting cyber security information sharing, the

government agency or the specific non-government agency
(hereinafter referred to as each agency) shall analyze and
integrate the information and shall plan the appropriate
security maintenance measure to prevent breach of the
content of the information, personal information, or
information that may not be shared under laws; or the
unauthorized access thereto or the tampering thereof.
Article 6 For the cyber security information received, each agency

shall identify its reliability and timeliness, shall timely
conduct an analysis of threat and vulnerability and make
the judgment of potential risk, and shall take corresponding
prevention or contingency measure.
Article 7 In conducting cyber security information integration, each

agency may conduct the correlation analysis with their
internal information based on the source, date of receipt,
available periods, and kinds of the information, the extent
of threat index, and other proper items.
97
The government agency may conduct the cyber security
sharing of the new threat that is found after the integration.
Article 8 For the cyber security information received, each agency

shall take appropriate security measures to prevent the
breach of the content of cyber security information,
personal information or information that may not be shared
under laws; or the unauthorized access thereto or the
tampering thereof.
Article 9 In conducting cyber security information sharing, each

agency shall follow the procedure as designated by the
competent authority or the central authority in charge of
relevant industry, respectively.
If conducting cyber security information sharing in the

manner under the preceding paragraph is prevented for any
reason, each agency may conduct it in any of the following
manners with the consent of the competent authority or the
central authority in charge of relevant industry,
respectively:
1. Written documents.
2. Fax.
3. Email.
4. Information system.
5. Other appropriate manner.
98
Article 10 Individual, juristic person or organization, to whom the Act
is not applicable, may conduct cyber security information
sharing, with the consent of the competent authority or the
In giving consent to individual, juristic person or

organization for cyber security information sharing under
the preceding paragraph, the competent authority or the
central authority in charge of relevant industry shall agree
with them in writing on the provisions of compliance with
the requirements under Article 4 to the preceding article.
Article 11 The date for enforcement of these Regulations shall be

decided by the competent authority.
99
Part 2: The comparison table of Chinese and English
資通安全管理法-英譯對照
資通安全管理法 Cyber Security Management Act

第一章總則 Chapter I. General Provision
第一條為積極推動國家資 Article 1. This Cyber Security Management Act
通安全政策，加速建構國 (hereinafter referred to as the Act) is duly
家資通安全環境，以保障
stipulated in an effort to positively carry out the
國家安全，維護社會公共
national cyber security policy, accelerate the
利益，特制定本法。
construction of environment for national cyber
security to safeguard national security, and
protect public interests of the entire society.
第二條本法之主管機關為 Article 2. The competent authority over the Act is
行政院。 the Executive Yuan.
第三條本法用詞，定義如 Article 3. The terms under the Act are defined as
下： follows:
一、資通系統：指用以蒐 1. Information and communication system:
集、控制、傳輸、儲存、 That refers to the system to be used to collect,
流通、刪除資訊或對資 control, transmit, store, circulate, delete
訊為其他處理、使用或 information or to make other processing, using
分享之系統。 and sharing of such information.
二、資通服務：指與資訊之 2. Information and communication service:
蒐集、控制、傳輸、儲 That refers to the service to be used to collect,
存、流通、刪除、其他 control, transmit, store, circulate, delete
處理、使用或分享相關 information or to make other processing, use
之服務。 and sharing of such information.
三、資通安全：指防止資通 3. Cyber security: That refers to such effort to
系統或資訊遭受未經 prevent information and communication
授權之存取、使用、控 system or information from being
制、洩漏、破壞、竄改、 unauthorized access, use, control,
銷毀或其他侵害，以確 disclosure, damage, alteration, destruction
保其機密性、完整性及 or other infringement to assure the
可用性。 confidentiality, integrity and availability of
四、資通安全事件：指系 information and system.
統、服務或網路狀態經 4. Cyber security incident: That refers to an
鑑別而顯示可能有違 event where the state of the system, service
反資通安全政策或保 or network ,through identification, likely
護措施失效之狀態發 shows violation of the cyber security
100
生，影響資通系統機能 policy, or failure of the security protective
運作，構成資通安全政 measures, thus adversely affect performance
策之威脅。 of information and communication system
五、公務機關：指依法行使 function, and constitute a threat against the
公權力之中央、地方機 cyber security policy.
關（構）或公法人。但 5. Government agency: That refers to central,
不包括軍事機關及情 local government agency (institution) or
報機關。 public juristic person that exercises public
六、特定非公務機關：指關 power according to law, excluding military
鍵基礎設施提供者、公 and intelligence agency.
營事業及政府捐助之 6. Specific non-government agency: That
財團法人。 refers to critical infrastructure provider,
七、關鍵基礎設施：指實體 government-owned enterprises and
或虛擬資產、系統或網 government-endowed foundation.
路，其功能一旦停止運 7. Critical infrastructure: That refers to asset,
作或效能降低，對國家 system or network, either physical or
安全、社會公共利益、 virtual, once discontinued from operation or
國民生活或經濟活動 becoming less effective, would lead to
有重大影響之虞，經主 significant negative impact upon the
管機關定期檢視並公 national security, public interests, living
告之領域。 standard of citizen and economic activities.
八、關鍵基礎設施提供者： Which shall be re-examined and
指維運或提供關鍵基 promulgated by the competent authority
礎設施之全部或一部， regularly.
經中央目的事業主管 8. Critical infrastructure provider: That refers
機關指定，並報主管機 to the ones who maintain or provide critical
關核定者。 infrastructure either in whole or in part, as
九、政府捐助之財團法人： designated by the central authority in charge
指其營運及資金運用 of relevant industry, which shall be submitted
計畫應依預算法第四 to the competent authority for ratification.
十一條第三項規定送 9. Government-endowed foundation: That
立法院，及其年度預算 refers to a foundation of which the operation
書應依同條第四項規 and capital employment plan of its funds
定送立法院審議之財 shall be submitted to the Legislative Yuan in
團法人。 accordance with Paragraph 3 of Article 41
of the Budget Act and its annual budget
statement shall be submitted to the
Legislative Yuan for deliberation in
accordance with Paragraph 4 of the same
Article.
101
第四條為提升資通安全， Article 4. In an effort to promote cyber security,
政府應提供資源，整合民 the government shall provide resources, and
間及產業力量，提升全民
integrate the momentum of both civilian
資通安全意識，並推動下
groups and private sectors, and boost cyber
列事項：
一、資通安全專業人才 security awareness of all people, and implement
之培育。 the following issues:
二、資通安全科技之研 3. Cultivation of cyber security professionals.
發、整合、應用、產 4. Cyber security technology research and
學合作及國際交流 development, integration, application, and
合作。 industry-academia cooperation, as well as
三、資通安全產業之發
interchange and cooperation with international
展。
community.
四、資通安全軟硬體技
5. Development of cyber security industry.
術規範、相關服務與
審驗機制之發展。 6. Development of cyber security related
前項相關事項之推 software and hardware specifications, relevant
動，由主管機關以國家資 services and verification mechanism.
通安全發展方案定之。 Issues Promotion in the preceding
Paragraph shall be stipulated by the
competent authority under the national cyber
security program.
第五條主管機關應規劃並 Article 5. The competent authority shall plan and
推動國家資通安全政策、資 promote the cyber security policy, and the cyber
通安全科技發展、國際交流
security technology development, and
合作及資通安全整體防護
interchange and cooperation with international
等相關事宜，並應定期公布
國家資通安全情勢報告、對 community, and the comprehensive cyber
公務機關資通安全維護計 security protection relevant undertakings, as well
畫實施情形稽核概況報告 as announce the report of national cyber security
及資通安全發展方案。 status, the summary auditing report on the
前項情勢報告、實施情 implementation of the cyber security
形稽核概況報告及資通安
maintenance plan for the government agency,
全發展方案，應送立法院備
查。 and the national cyber security program.
The status report, summary auditing report
and the national cyber security programs of the
preceding Paragraph shall be submitted to the
Legislative Yuan for review.
第六條主管機關得委任或 Article 6. The competent authority may
委託其他公務機關、法人 commission or entrust other government agency,
或團體，辦理資通安全整
juristic person or organization to implement
體防護、國際交流合作及
integrated protection of cyber security,
102
其他資通安全相關事務。 interchange and cooperation with international
前項被委託之公務機 community, and other cyber security related
關、法人或團體或被複委
issues.
託者，不得洩露在執行或
The government agency, juristic person
辦理相關事務過程中所獲
悉關鍵基礎設施提供者之 or organization, or second-tier subcontractor of
秘密。 the preceding Paragraph shall not divulge the
secret of critical infrastructure provider which
becomes known in the process of enforcement
or implement of relevant issues.
第七條主管機關應衡酌公務 Article 7. The competent authority shall stipulate
機關及特定非公務機關業 the cyber security responsibility levels by
務之重要性與機敏性、機
considering the criteria on the importance,
關層級、保有或處理之資
confidentiality and sensitivity of the business, the
訊種類、數量、性質、資
通系統之規模及性質等條 hierarchy of the agency, and the category,
件，訂定資通安全責任等 quantity and attribute of the information reserved
級之分級；其分級基準、 or processed, as well as the scale and attribute of
等級變更申請、義務內 the information and communication system of
容、專責人員之設置及其 the government agency and specific non-
他相關事項之辦法，由主
government agency. The relevant regulations
管機關定之。
regard the baseline for responsibility levels,
application for a change in the level, content of
主管機關得稽核特定 obligation, staffing of dedicated personnel and
非公務機關之資通安全維 other regulations and issues concerned shall be
護計畫實施情形；其稽核
之頻率、內容與方法及其
他相關事項之辦法，由主 The competent authority may audit a
管機關定之。 specific non-government agency in its
特定非公務機關受前 implementation of cyber security maintenance
項之稽核，經發現其資通 plan, of which the frequency, content, method
安全維護計畫實施有缺失 and other issues concerned shall be stipulated by
或待改善者，應向主管機
關提出改善報告，並送中
A specific non-government agency is audited
央目的事業主管機關。
as per preceding Paragraph, and found defective
or needing improvement in the cyber security
maintenance program, it shall submit the
improvement report to the competent authority
and to the central authority in charge of relevant
industry.
第八條主管機關應建立資 Article 8. The competent authority shall set up the
103
通安全情資分享機制。 cyber security information sharing mechanism.
前項資通安全情資之分 Regulation regarding analysis, integration,
析、整合與分享之內容、程
and the sharing of content, procedure and
序、方法及其他相關事項
method, and other matters of the cyber security
之辦法，由主管機關定之。
information in the preceding Paragraph shall be
第九條公務機關或特定 Article 9. A government agency or specific non-
非公務機關，於本法適用 government agency outsources for setup,
範圍內，委外辦理資通系
maintenance of the cyber security system, or for
統之建置、維運或資通服
provision of cyber security services, such
務之提供，應考量受託者
之專業能力與經驗、委外 government agency or specific non-government
項目之性質及資通安全需 agency shall, within the realm of this Act, take
求，選任適當之受託者，並 into account outsourced party’s professional
監督其資通安全維護情 capability and hands-on experience, as well as
形。 attribute of the outsourced item and requirement
of cyber security, select the appropriate party for
outsourcing and oversee its cyber security
maintenance service.
第二章公務機關資通安全 Chapter II. Government Agency Cyber Security
Management
管理
第十條公務機關應符合其 Article 10. A government agency shall satisfy the
所屬資通安全責任等級之 requirements of the cyber security responsibility
要求，並考量其所保有或
level, and take into account the category, quantity
處理之資訊種類、數量、性
and attribute of the information reserved or
質、資通系統之規模與性
質等條件，訂定、修正及實 processed, along with the scale and attribute of
施資通安全維護計畫。 the information and communication system, to
stipulate, amend and implement the cyber
第十一條公務機關應置資 Article 11. A government agency shall staff the
通安全長，由機關首長指 position of Cyber Security Officer, which to be
派副首長或適當人員兼
concurrently served by the deputy head or other
任，負責推動及監督機關
appropriate personnel as designated by the
內資通安全相關事務。
agency head. The Cyber Security Officer shall
assume the responsibility to carry out and
oversee the cyber security business of the agency.
第十二條公務機關應每年 Article 12. A government agency shall submit to the
向上級或監督機關提出資 superior or supervisory authority about the
通安全維護計畫實施情
implementation of the cyber security
形；無上級機關者，其資通
104
安全維護計畫實施情形應 maintenance plan annually. Without such
送交主管機關。 superior authority, the implementation report of
the cyber security maintenance program shall be
submitted to the competent authority.
第十三條公務機關應稽核 Article 13. A government agency shall audit the
其所屬或監督機關之資通 subordinate authority under its supervision about
安全維護計畫實施情形。
the implementation of the cyber security
受稽核機關之資通安
maintenance plan.
全維護計畫實施有缺失或
待改善者，應提出改善報 When an agency is audited and found
告，送交稽核機關及上級 defective or needing improvement in the cyber
或監督機關。 security maintenance plan, it shall submit the
improvement report to the auditing agency and
the superior or the supervisory authority.
第十四條公務機關為因應 Article 14. To cope with cyber security incident, a
資通安全事件，應訂定通 government agency shall stipulate the reporting
報及應變機制。
and responding mechanism.
公務機關知悉資通安
When privy to a cyber security incident, the
全事件時，除應通報上級
或監督機關外，並應通報 government agency shall report to the superior or
主管機關；無上級機關者， supervisory authority as well as to the competent
應通報主管機關。 authority. Without such superior authority, the
公務機關應向上級或 government agency shall report to the competent
監督機關提出資通安全事 authority.
件調查、處理及改善報告，
A government agency shall file a report on
並送交主管機關；無上級
機關者，應送交主管機關。 the investigation, handling and improvement on
前三項通報及應變機 the cyber security incident, and shall submit the
制之必要事項、通報內容、 report to the superior or supervisory authority as
報告之提出及其他相關事 well as the competent authority. Without a
項之辦法，由主管機關定 superior authority, the government agency shall
之。
submit to the competent authority.
Regulations regarding the essentials of the
reporting and responding mechanism, content of
notification, submittal of report and other matters
in the three preceding Paragraphs shall be
第十五條公務機關所屬 Article 15. Personnel with proven performance in
人員對於機關之資通安全 cyber security maintenance, a government
維護績效優良者，應予獎
agency shall present incentive award.
勵。
Regulations for such incentive award in the
前項獎勵事項之辦
105
法，由主管機關定之。 preceding Paragraph shall be stipulated by the
第三章特定非公務機關 Chapter III. Specific Non-Government Agency
資通安全管理 Cyber Security Management
第十六條中央目的 Article 16. The central authority in charge of
事業主管機關應於徵詢相 relevant industry shall, after consulting with the
關公務機關、民間團體、專
relevant government agency, civil
家學者之意見後，指定關鍵
associations, scholars and experts for their
基礎設施提供者，報請主管
機關核定，並以書面通知受 opinions, designate the critical infrastructure
核定者。 provider and submit to the competent authority
關鍵基礎設施提供者 for approval, while notifying the approved
應符合其所屬資通安全責 provider in writing.
任等級之要求，並考量其所 A critical infrastructure provider shall satisfy
保有或處理之資訊種類、數
the requirements of the cyber security
量、性質、資通系統之規模
與性質等條件，訂定、修正 responsibility level
及實施資通安全維護計畫。 , and take into account the category, quantity and
關鍵基礎設施提供者 attribute of the information reserved or processed,
應向中央目的事業主管機 along with the scale and attribute of the
關提出資通安全維護計畫 information and communication system, to
實施情形。
stipulate, amend and implement the cyber security
中央目的事業主管機
maintenance plan.
關應稽核所管關鍵基礎設
施提供者之資通安全維護 A critical infrastructure provider shall submit
計畫實施情形。 to the central authority in charge of relevant
關鍵基礎設施提供者 industry about the implementation of the cyber
之資通安全維護計畫實施 security maintenance plan.
有缺失或待改善者，應提出 The central authority in charge of relevant
改善報告，送交中央目的事
industry shall audit the critical infrastructure
業主管機關。
第二項至第五項之資 provider about the implementation of the cyber
通安全維護計畫必要事項、 security maintenance plan.
實施情形之提出、稽核之頻 When a critical infrastructure provider is
率、內容與方法、改善報告 audited and found defective or needing
之提出及其他應遵行事項 improvement in the cyber security maintenance
之辦法，由中央目的事業主
plan, it shall submit the improvement report to
管機關擬訂，報請主管機關
the central authority in charge of relevant
核定之。
industry.
cyber security maintenance plan, and submittal
of the implementation, audit frequency, contents
106
and methods, submittal of the improvement
reports and other matters in Paragraph 2 to
Paragraph 5 shall be drafted by the central
authority in charge of relevant industry, and
submit to the competent authority for approval.
第十七條關鍵基礎設 Article 17. A specific non-government agency other
施提供者以外之特定非公 than critical infrastructure provider, shall satisfy
務機關，應符合其所屬資
the requirements of the cyber security
通安全責任等級之要求，
responsibility level, and take into account the
並考量其所保有或處理之
資訊種類、數量、性質、資 category, quantity and attribute of the
通系統之規模與性質等條 information reserved or processed, along with the
件，訂定、修正及實施資通 scale and attribute of the information and
安全維護計畫。 communication system, to stipulate, amend
中央目的事業主管機 and implement the cyber security maintenance
關得要求所管前項特定非
plan.
公務機關，提出資通安全
維護計畫實施情形。 The central authority in charge of relevant
industry may request the specific non-
中央目的事業主管機 government agency under their charge
關得稽核所管第一項特定 mentioned in the preceding Paragraph, to submit
非公務機關之資通安全維 a report about implementation of the cyber
護計畫實施情形，發現有
缺失或待改善者，應限期
要求受稽核之特定非公務 The central authority in charge of relevant
機關提出改善報告。 industry may audit the specific non-government
agency under their charge mentioned in the
Paragraph 1 regarding their implementation of
前三項之資通安全維
the cyber security maintenance plan. When
護計畫必要事項、實施情
形之提出、稽核之頻率、內 found defective or needing improvement in the
容與方法、改善報告之提 cyber security maintenance plan, the audited
出及其他應遵行事項之辦 specific non-government agency shall be
法，由中央目的事業主管 required to submit an improvement report before
機關擬訂，報請主管機關 a specified date.
核定之。
cyber security maintenance plan, and submittal
of the implementation, audit frequency, contents
and methods, submittal of the improvement
reports and other matters in preceding three
Paragraphs shall be drafted by the central
authority in charge of relevant industry, and
107
submit to the competent authority for approval.
第十八條特定非公務 Article 18. To cope with cyber security incident, a
機關為因應資通安全事 specific non-government agency shall stipulate
件，應訂定通報及應變機
the reporting and responding mechanism.
制。
When privy to a cyber security incident, a
特定非公務機關於知
悉資通安全事件時，應向 specific non-government agency shall report to
中央目的事業主管機關通 the central authority in charge of relevant
報。 industry.
特定非公務機關應向 A specific non-government agency shall file
中央目的事業主管機關提 a report on the investigation, handling and
出資通安全事件調查、處
improvement on the cyber security incident and
理及改善報告；如為重大
資通安全事件者，並應送 shall submit the report to the central authority in
交主管機關。 charge of relevant industry. In case of a severe
前三項通報及應變機 cyber security incident, it shall further notify the
制之必要事項、通報內容、 competent authority.
報告之提出及其他應遵行 Regulations regarding the essentials of the
事項之辦法，由主管機關
reporting and responding mechanism, content of
定之。
notification, submittal of report and other matters
知悉重大資通安全事
件時，主管機關或中央目 in the three preceding Paragraphs shall be
的事業主管機關於適當時 stipulated by the competent authority.
機得公告與事件相關之必 When privy to a severe cyber security
要內容及因應措施，並得 incident, the competent authority or the central
提供相關協助。 authority in charge of relevant industry may, in a
timely manner, promulgate the essential contents
of the incident and coping measures and render
relevant support.
第四章罰則 Chapter IV. Penalties
第十九條公務機關所屬人 Article 19. Personnel of a government agency shall
員未遵守本法規定者，應 be subject to discipline or penalty in accordance
按其情節輕重，依相關規
with the relevant regulations if failing to comply
定予以懲戒或懲處。
with the regulation of the Act.
前項懲處事項之辦
法，由主管機關定之。 Regulations for such penalty in the
preceding Paragraph shall be stipulated by the
108
第二十條特定非公務機關有 Article 20. If a specific non-government agency has
下列情形之一者，由中央目 one among those enumerated below transpired, the
的事業主管機關令限期改
central authority in charge of relevant industry
正；屆期未改正者，按次處
shall order it to complete corrective actions within
新臺幣十萬元以上一百萬
元以下罰鍰： the specified time limit. If it fails to complete
corrective actions within the specified time limit,
it shall be subject to a fine ranging from
NT$100,000 as the minimum to NT$1,000,000 as
一、未依第十六條第二項
the maximum for each offense:
或第十七條第一項規
1. If it fails to stipulate, amend or implement the
定，訂定、修正或實施
cyber security maintenance plan in
資通安全維護計畫，或
accordance with Paragraph 2 of Article 16 or
違反第十六條第六項
Paragraph 1 of Article 17, or violates the
或第十七條第四項所
essential items in the cyber security
定辦法中有關資通安
maintenance plan under Paragraph 6 of
全維護計畫必要事項
Article 16 or Paragraph 4 of Article 17.
之規定。
二、未依第十六條第三項
或第十七條第二項規
定，向中央目的事業主 2. If it fails to submit the report on
管機關提出資通安全 implementation of the cyber security
維護計畫之實施情形， maintenance plan to the central authority in
或違反第十六條第六 charge of relevant industry in accordance with
項或第十七條第四項 Paragraph 3 of Article 16 or Paragraph 2 of
所定辦法中有關資通
Article 17, or fails the requirements with the
安全維護計畫實施情
submittal of the implementation of the cyber
形提出之規定。
三、未依第七條第三項、第 security maintenance plan stipulated under
十六條第五項或第十 Paragraph 6 of Article 16 or Paragraph 4 of
七條第三項規定，提出 Article 17.
改善報告送交主管機
關、中央目的事業主管 3. If it fails the requirements under Paragraph 3
機關，或違反第十六條 of Article 7, Paragraph 5 of Article 16 or
第六項或第十七條第 Paragraph 3 of Article 17, unable to submit
四項所定辦法中有關 the improvement reports to the competent
改善報告提出之規定。
authority, the central authority in charge of
四、未依第十八條第一項
relevant industry, or violates the regulation
規定，訂定資通安全事
with the submitting of the improvement
件之通報及應變機制，
或違反第十八條第四 report under Paragraph 6 of Article 16 or
項所定辦法中有關通 Paragraph 4 of Article 17.
報及應變機制必要事
項之規定。 4. If it fails to stipulate the reporting and
109
五、未依第十八條第三項 responding mechanism of cyber security
規定，向中央目的事業 incident in accordance with Paragraph 1 of
主管機關或主管機關 Article 18, or violates the essential items in
提出資通安全事件之
the reporting and responding mechanism
調查、處理及改善報
under Paragraph 4 of Article 18.
告，或違反第十八條第
5. If it fails the requirements under Paragraph 3
四項所定辦法中有關
報告提出之規定。 of Article 18, unable to submit the cyber
六、違反第十八條第四項 security investigation, handling and
所定辦法中有關通報 improvement reports regarding cyber security
內容之規定。 incidents to the central authority in charge of
relevant industry or the competent authority,
or violate the regulation with the submitting
of the report under Paragraph 4 of Article 18.
6. If it violates the regulation regarding the
contents of notification under Paragraph 4 of
Article 18.
第二十一條特定非公務機關 Article 21. A specific non-government agency
未依第十八條第二項規定， violates the provisions Paragraph 2 of Article 18,
通報資通安全事件，由中央
by failing to report a cyber security incident, the
目的事業主管機關處新臺
central authority in charge of relevant industry
幣三十萬元以上五百萬元
以下罰鍰，並令限期改正； shall impose a fine ranging from NT$300,000 as
屆期未改正者，按次處罰 the minimum to NT$5,000,000 as the maximum,
之。 and shall order it to complete improvement within
a specified time limit. If it fails to complete such
requirement within the specified time limit, a
penalty for each additional offense shall be re-
imposed.
第五章附則 Chapter V. Supplementary provisions
第二十二條本法施行細則， Article 22. The enforcement rules of the Act shall be
由主管機關定之。 stipulated by the competent authority.
第二十三條本法施行日期， Article 23. The implementation date of the Act shall
由主管機關定之。 be stipulated by the competent authority.
110
資通安全管理法施行細則-英譯對照
資通安全管理法施行細則 Enforcement Rules of Cyber Security Management

Act
第一條本細則依資通安全管 Article 1 These Rules are stipulated in accordance
理法(以下簡稱本法)第二十 with Article 22 of the Cyber Security Management
二條規定訂定之。
Act (hereinafter referred to as the Act).
第二條本法第三條第五款所 Article 2 The term “military agency” as used in
稱軍事機關，指國防部及其 Subparagraph 5 of Article 3 of the Act refers to the
所屬機關（構）
、部隊、學校；
Ministry of National Defense and its subordinate
所稱情報機關，指國家情報
agency (institution), troop, school; and the term
工作法第三條第一項第一款
及第二項規定之機關。 “intelligence agency” as used therein, refers to the
agency specified in Subparagraph 1 of Paragraph 1
and Paragraph 2 of Article 3 of the National
Intelligence Services Law.
第三條公務機關或特定非公 Article 3 In submitting improvement reports under

務機關（以下簡稱各機關）依 Paragraph 3 of Article 7, Paragraph 2 of Article 13,
本法第七條第三項、第十三條
Paragraph 5 of Article 16 or Paragraph 3 of Article
第二項、第十六條第五項或第
17 of the Act, the government agency or the
十七條第三項提出改善報告，
應針對資通安全維護計畫實 specific non-government agency (hereinafter
施情形之稽核結果提出下列 referred to as “each agency”) shall submit the
內容，並依主管機關、上級或 following contents in response to the audit result of
監督機關或中央目的事業主 the implementation of the cyber security
管機關指定之方式及時間，提 maintenance plan, and shall submit the
出改善報告之執行情形：
implementation of the improvement report in the
十、缺失或待改善之項目及
manner and within the time as designated by the
內容。
competent authority, superior or supervisory
十一、發生原因。
authority, the central authority in charge of relevant
十二、為改正缺失或補強待
industry:
改善項目所採取管理、技
術、人力或資源等層面之 1. Flaws or items to be improved.
措施。 2. Causes of occurrence.
十三、前款措施之預定完成 3. Measures in aspects of management, technology,
時程及執行進度之追蹤 manpower, or resource to be taken for flaws or
方式。 items to be improved.
4. The estimated completion schedules of the
measures under the preceding subparagraph and
111
the tracking method on implementation
progresses.
第四條各機關依本法第九條 Article 4 When each agency outsources parties for
規定委外辦理資通系統之建 setup, maintenance of information and
置、維運或資通服務之提供
communication system, or provision of
（以下簡稱受託業務），選任
information and communication service
及監督受託者時，應注意下列
事項： (hereinafter referred to as the “outsourced
一、受託者辦理受託業務之 business”) in accordance with Article 9 of the Act,
相關程序及環境，應具備 attention should be paid to the following matters
完善之資通安全管理措 for the selection and supervision of the outsourced
施或通過第三方驗證。 party.
二、受託者應配置充足且經 1. The procedures and environment of the
適當之資格訓練、擁有資 outsourced party in conducting outsourced
通安全專業證照或具有 business shall have completed cyber security
類似業務經驗之資通安 management measures or have passed the
全專業人員。 verification of third party.
三、受託者辦理受託業務得 2. The outsourced party shall deploy sufficient and
否複委託、得複委託之範 properly qualified and trained cyber security
圍與對象，及複委託之受
professionals who hold cyber security
託者應具備之資通安全
professional licenses or have similar business
維護措施。
experience.
四、受託業務涉及國家機密
3. Whether the outsourced party can second-tier
者，執行受託業務之相關
subcontract outsourced business’ scopes and
人員應接受適任性查核，
並依國家機密保護法之 objects that may be second-tier subcontract and
規定，管制其出境。 the cyber security maintenance measures that the
五、受託業務包括客製化資 second-tier subcontractor should have.
通系統開發者，受託者應 4. If the outsourced business involves classified
提供該資通系統之安全 national security information, the person who
性檢測證明；該資通系統 conduct the outsourced business shall be
屬委託機關之核心資通 reviewed and the departure shall be controlled in
系統，或委託金額達新臺 accordance with the Classified National Security
幣一千萬元以上者，委託 Information Protection Act.
機關應自行或另行委託 5. If the outsourced business includes customized
第三方進行安全性檢測； development of information and communication
涉及利用非受託者自行 system , the outsourced party shall provide
開發之系統或資源者，並
security testing certificate of such information
應標示非自行開發之內
and communication system; if such information
容與其來源及提供授權
and communications system is the core system
證明。
112
六、受託者執行受託業務，違 of the outsourcing agency, or the outsourcing
反資通安全相關法令或 amount exceeds NT$10,000,000, the
知悉資通安全事件時，應 outsourcing agency shall conduct itself or
立即通知委託機關及採 contract third party to conduct the security
行之補救措施。 testing; if the use of system or resource other
七、委託關係終止或解除時， than those developed by the outsourced party is
應確認受託者返還、移 involved, content and source of those not
交、刪除或銷毀履行契約
developed by the outsourced party shall be
而持有之資料。
indicated and the certification of authorization
八、受託者應採取之其他資
thereof shall be provided.
通安全相關維護措施。
6. If the outsourced party conducts outsourced
九、委託機關應定期或於知
businesses in violation of the relevant regulatory
悉受託者發生可能影響
受託業務之資通安全事 requirement of cyber security or becomes aware
件時，以稽核或其他適當 of cyber security incident, it shall immediately
方式確認受託業務之執 notify the outsourcing agency thereof and take
行情形。 remedy measure therefor.
委託機關辦理前項第四 7. If the entrusting relationship is terminated or
款之適任性查核，應考量受 canceled, it shall be confirmed that the
託業務所涉及國家機密之機 outsourced party has returned, handed over,
密等級及內容，就執行該業
deleted or destroyed all materials in its
務之受託者所屬人員及可能
接觸該國家機密之其他人 possession for the performance of the contract.
員，於必要範圍內查核有無 8. The outsourced party shall take other relevant
下列事項： measure for cyber security.
一、曾犯洩密罪，或於動員戡 9. The outsourcing agency shall, periodically, or
亂時期終止後，犯內亂 whenever it becomes aware of the occurrence of
罪、外患罪，經判刑確定， cyber security incident of the outsourced party
或通緝有案尚未結案。 that might affect the outsourced business,
二、曾任公務員，因違反相關 confirm the implementation status of the
安全保密規定受懲戒或 outsourced business by audit or other
記過以上行政懲處。 appropriate method.
三、曾受到外國政府、大陸地
In conducting the competency audit under
區、香港或澳門政府之利
Subparagraph 4 of the preceding paragraph, the
誘、脅迫，從事不利國家
outsourcing agency shall take into consideration
安全或重大利益情事。
the confidential level and content of the classified
四、其他與國家機密保護相
national security information in which the
關之具體項目
第一項第四款情形，應 outsourced business is involved, and shall, to the
記載於招標公告、招標文件 necessary extent, check whether the personnel of
及契約；於辦理適任性查核 the outsourced party who performs such business
113
前，並應經當事人書面同意。 or other personnel who might access such classified
national security information has any of the
following circumstances:
1. One who had committed the offense of
disclosing secret, or had committed the offense
of civil disturbance or treason after the
termination of the Period of National
Mobilization in Suppression of Communist
Rebellion, and was finally convicted, or was put
on a wanted list which has not been closed.
2. One who was a former public official, was
subject to administrative penalty or demerit
record due to a violation of relevant regulatory
for security confidentiality.
3. One who was induced or coerced by foreign
government, mainland China, Hong Kong or
Macau government to engage in activity
unfavorable to national security or significant
interest of the nation.
4. Other concrete item relating to the protection of
classified national security information.
The circumstance under Subparagraph 4 of
Paragraph 1 shall be stated in the tender notice,
tender document and contract; before the
verification of the competency audit, the relevant
personnel shall agree in writing document.
第五條前條第三項及本法第 Article 5 The “in writing” document under
十六條第一項之書面，依電子 Paragraph 3 of the preceding article and
簽章法之規定，得以電子文件
Paragraph 1 of Article 16 of the Act may be the
為之。
electronic one in accordance with the Electronic
Signatures Act.
第六條本法第十條、第十六條 Article 6 The cyber security maintenance plan
第二項及第十七條第一項所 under Article 10, Paragraph 2 of Article 16, and
定資通安全維護計畫，應包括
Paragraph 1 of Article 17 of the Act shall include
下列事項：
the following:
一、核心業務及其重要性。
1. Core businesses and their significance.
二、資通安全政策及目標。
2. Cyber security policy and objectives.
三、資通安全推動組織。
四、專責人力及經費之配置。 3. The organization promoting cyber security.
114
五、公務機關資通安全長之 4. The deployment of dedicated manpower and
配置。 fund.
六、資訊及資通系統之盤點， 5. The deployment of Cyber Security Officer of the
並標示核心資通系統及 government agency.
相關資產。 6. The inventory of information and information
七、資通安全風險評估。 and communication systems and indicating the
八、資通安全防護及控制措 core ones and relevant assets.
施。
7. Risk assessments of cyber security.
九、資通安全事件通報、應變
8. Protection and control measures for cyber
及演練相關機制。
security.
十、資通安全情資之評估及
9. The reporting, responding and rehearsal
因應機制。
mechanisms relating to cyber security incidents.
十一、資通系統或服務委外
辦理之管理措施。 10. Cyber security information assessment and
十二、公務機關所屬人員辦 responding mechanism.
理業務涉及資通安全事 11. Management measures for outsourced
項之考核機制。 information and communication system or
十三、資通安全維護計畫與 service.
實施情形之持續精進及 12. Assessment mechanism for personnel of the
績效管理機制。 government agency who conducts business
各機關依本法第十二 involving cyber security matters.
條、第十六條第三項或第十
13. The continual improvement and performance
七條第二項規定提出資通安
management mechanism for the cyber security
全維護計畫實施情形，應包
括前項各款之執行成果及相 maintenance plan and implementation status.
關說明。 The implementation of cyber security
第一項資通安全維護計 maintenance plans submitted by each agency under
畫之訂定、修正、實施及前項 Article 12, Paragraph 3 of Article 16, or Paragraph
實施情形之提出，公務機關 2 of Article 17 of the Act shall include the
得由其上級或監督機關辦
implementation results of and relevant
理；特定非公務機關得由其
中央目的事業主管機關、中 explanations for those under each subparagraph of
央目的事業主管機關所屬公 the preceding paragraph.
務機關辦理，或經中央目的 The stipulation, amendment, and
事業主管機關同意，由其所 implementation of the cyber security maintenance
管特定非公務機關辦理。 plans under Paragraph 1, and the submission of
the implementation thereof may be conducted by
the superior or supervisory agency of the
government agency; and in case of a specific
non-government agency, the same may be
conducted by its central authority in charge of
115
relevant industry, the subordinate government
agency of such central authority in charge of
relevant industry, or the specific non-government
agency regulated by the central authority in
charge of relevant industry, with consent of such
第七條前條第一項第一款所 Article 7 The scope of the core businesses specified
定核心業務，其範圍如下： in Subparagraph 1 of Paragraph 1 of the preceding
一、公務機關依其組織法 article are as follows:
規，足認該業務為機關 1. Businesses that are considered as the core
核心權責所在。
accountabilities of the government agency as
二、公營事業及政府捐助之
determined by its organizational regulation.
財團法人之主要服務或
2. Major services or functions of government-
功能。
owned enterprise and government-endowed
三、各機關維運、提供關鍵
foundation.
基礎設施所必要之業
務。 3. Businesses that are required by each agency for
四、各機關依資通安全責任 the maintenance and provision of critical
等級分級辦法第四條第 infrastructure.
一款至第五款或第五條 4. Businesses in which each agency is involved in
第一款至第四款涉及之 accordance with Paragraphs 1 to 5 of Article 4,
業務。 or Paragraphs 1 to 4 of Article 5 of the
前條第一項第六款所稱 Regulations on Classification of Cyber Security
核心資通系統，指支持核心 Responsibility Levels.
業務持續運作必要之系統，
The term “core information and
或依資通安全責任等級分級
辦法附表九資通系統防護需 communication system” as used in Subparagraph 6
求分級原則之規定，判定其 of Paragraph 1 of the preceding article refers to the
防護需求等級為高者。 system that is necessary for supporting the
continual operation of core business, or that is of
high level of defense requirements as determined in
accordance with Schedule 9 to the Regulations on
Classification of Cyber Security Responsibility
Levels – principles of classification of cyber
system defense requirement levels
第八條本法第十四條第三項 Article 8 The investigation, handling and
及第十八條第三項所定資通 improvement report on cyber security incident
安全事件調查、處理及改善報
under Paragraph 3 of Article 14 and Paragraph 3 of
告，應包括下列事項：
Article 18 of the Act shall include the following:
一、事件發生或知悉其發
1. Times of the occurrences of or the awareness of
生、完成損害控制或復
116
原作業之時間。 the occurrences of the incidents, the completion
二、事件影響之範圍及損害 of damage control or recovery operations.
評估。 2. The scope affected by the incidents and the
三、損害控制及復原作業之 damage assessment.
歷程。 3. The courses of damage control and recovery
四、事件調查及處理作業之 operations.
歷程。 4. The courses of incident investigations and
五、事件根因分析。
handling operations.
六、為防範類似事件再次發
5. Cause analysis of the incident.
生所採取之管理、技術、
人力或資源等層面之措
manpower or resources taken to prevent the
施。
reoccurrences of similar incident.
七、前款措施之預定完成時
程及成效追蹤機制。 7. The estimated completion schedule and the
follow-up mechanism of the measures under the
preceding subparagraph.
第九條中央目的事業主管機 Article 9 Before designating critical infrastructure
關依本法第十六條第一項規 providers under Paragraph 1 of Article 16 of the
定指定關鍵基礎設施提供者
Act, the central authority in charge of relevant
前，應給予其陳述意見之機
industry shall give such providers the opportunity
會。
to state their opinions.
第十條本法第十八條第三項 Article 10 The term “severe cyber security
及第五項所稱重大資通安全 incident” as used in Paragraphs 3 and 5 of Article
事件，指資通安全事件通報及
18 of the Act refer to level-3 and level-4 cyber
應變辦法第二條第四項及第
security incidents specified in Paragraphs 4 and 5
五項規定之第三級及第四級
資通安全事件。 of Article 2 of the Regulations on the Notification
and Response of Cyber Security Incidents.
第十一條主管機關或中央目 Article 11 When the competent authority or the
的事業主管機關知悉重大資 central authority in charge of relevant industry is
通安全事件，依本法第十八條
privy to a cyber security incident and publicize the
第五項規定公告與事件相關
necessary contents and countermeasures relating to
之必要內容及因應措施時，應
載明事件之發生或知悉其發 severe cyber security incidents under Paragraph 5
生之時間、原因、影響程度、 of Article 18 of the Act, upon awareness of such
控制情形及後續改善措施。 incidents, times of occurrence or privy of the
前項與事件相關之必要 occurrence, causes, affection degree, control status,
內容及因應措施，有下列情 and subsequent improvement measures of such
形之一者，不予公告：
incidents shall be stated in the publications.
三、涉及個人、法人或團體
Under any of the following circumstances, the
營業上秘密或經營事業
necessary contents and contingency measures
有關之資訊，或公開有
117
侵害公務機關、個人、法 relating to the incidents under the preceding
人或團體之權利或其他 paragraph shall not be publicized:
正當利益。但法規另有 1. If it involves trade secrets or information relating
規定，或對公益有必要， to business operations of individuals, juristic
或為保護人民生命、身 persons or organizations or if the disclosure
體、健康有必要，或經當 might infringe upon rights or other rightful
事人同意者，不在此限。 interests of the government agency, individual,
四、其他依法規規定應秘
juristic person or organizations; except as is
密、限制或禁止公開之
otherwise required by law, or necessary for
情形。
public welfare or necessary for protection of life,
第一項與事件相關之必
要內容及因應措施含有前項 body, and health of people, or with consent of
不予公告之情形者，得僅就 the parties concerned.
其他部分公告之。 2. Other circumstances of confidentiality,
restriction, or prohibition on disclosure as
required by law.
If the necessary contents and contingency
measure relating to the incidents shall not be
publicized under Paragraph 1, only the other
portion may be publicized.
第十二條特定非公務機關之 Article 12 If businesses of the specific non-
業務涉及數中央目的事業主 government agency involve the accountabilities of
管機關之權責者，主管機關得
several central authority in charge of relevant
協調指定一個以上之中央目
industry, the competent authority may designate
的事業主管機關，單獨或共同
辦理本法所定中央目的事業 via coordination more than one central authority in
主管機關應辦理之事項。 charge of relevant industry to solely or jointly
conduct the matters to be conducted by the central
authority in charge of relevant industry under the
Act.
第十三條本細則之施行日期， Article 13 The implementation date of the Rules
由主管機關定之。 shall be stipulated by the competent authority.
118
資通安全責任等級分級辦法-英譯對照
中華民國 107 年 11 月 21 日行政院院臺護字第 1070213547 號令訂定

中華民國 108 年 8 月 26 日行政院院臺護字第 1080184606 號令修正
資通安全責任等級分級辦法 Regulations on Classification of Cyber Security

Responsibility Levels
第一條本辦法依資通安全 Article 1 These Regulations are stipulated
管理法（以下簡稱本法）第 according to Paragraph 1 of Article 7 of the
七條第一項規定訂定之。
Cyber Security Management Act (hereinafter
referred to as “the Act”).
第二條公務機關及特定非 Article 2 The cyber security responsibility levels
公務機關（以下簡稱各機 of the government agency or specific non-
關）之資通安全責任等級，
government agency(hereinafter referred to as
由高至低，分為 A 級、B
“each agency”) are classified from high to low
級、C 級、D 級及 E 級。
into Level-A, Level-B, Level-C, Level-D and
Level-E.
第三條主管機關應每二年 Article 3 The competent authority shall approve its
核定自身資通安全責任等 own cyber security responsibility levels every
級。
two years.
行政院直屬機關應每
The agencies directly subordinate to the
二年提交自身、所屬或監
督之公務機關及所管之特 Executive Yuan shall, every two years, propose
定非公務機關之資通安全 the cyber security responsibility levels of their
責任等級，報主管機關核 own, their subordinate or supervisory
定。 government agencies, and the specific non-
直轄市、縣（市）政府 government agencies under their charge, and
應每二年提交自身、所屬
shall report the same to the competent authority
或監督之公務機關，與所
轄鄉（鎮、市）、直轄市山 for approval.
地原住民區公所及其所屬 Special municipality, county (city)
或監督之公務機關之資通 government shall, every two years, propose the
安全責任等級，報主管機 cyber security responsibility levels of their own,
關核定。 their subordinate or supervisory government
直轄市及縣（市）議
agencies, and their governed villages
會、鄉（鎮、市）民代表會
(townships/cities), mountain indigenous district
及直轄市山地原住民區民
代表會應每二年提交自身 offices of municipality, and the subordinate or
資通安全責任等級，由其 supervisory government agencies of such
所在區域之直轄市、縣 governed villages (townships/cities) and
119
（市）政府彙送主管機關 mountain indigenous district offices of special
核定。 municipalities, and shall report the same to the
總統府、國家安全會
competent authority for approval.
議、立法院、司法院、考試
Special municipality and county (city)
院及監察院應每二年核定
自身、所屬或監督之公務 council, village (township/city) council, and
機關及所管之特定非公務 mountain indigenous districts of special
機關之資通安全責任等 municipality council shall, every two years,
級，送主管機關備查。 submit their own cyber security responsibility
各機關因組織或業務 level, which shall be compiled and submitted by
調整，致須變更原資通安
the municipality and county (city) government
全責任等級時，應即依前
五項規定程序辦理等級變 where it is located to the competent authority for
更；有新設機關時，亦同。 approval.
第一項至第五項公務 The Presidential Office, the National
機關辦理資通安全責任等 Security Council, the Legislative Yuan, the
級之提交或核定，就公務 Judicial Yuan, the Examination Yuan, and the
機關或特定非公務機關內
Control Yuan shall, every two years, approve the
之單位，認有另列與該機
cyber security responsibility level of their own,
關不同等級之必要者，得
考量其業務性質，依第四 their subordinate or supervisory government
條至第十條規定認定之。 agencies, and the specific non-government
agencies under their charge, and shall submit the
same to the competent authority for recordation.
If each agency is required to change its
cyber security responsibility level due to
adjustment to the organization or business, it
shall immediately conduct the change to level
according to the procedures under the preceding
five paragraphs; the same shall apply to the case
when a new agency is established.
In conducting the submission or approval of
cyber security responsibility level under
Paragraph 1 to Paragraph 5, if the government
agency thinks it is necessary to otherwise give
the entity within the government agency or the
specific non-government agency the level that is
different from those of such agency, it may
determine such level in accordance with the
requirements of Article 4 to Article 10, by taking
into consideration the nature of business of such
120
entity.
第四條各機關有下列情形 Article 4 The cyber security responsibility level of

之一者，其資通安全責任等 each agency under any of the following
級為 A 級：
circumstances is Level-A:
十、業務涉及國家機密。
1. Its business involves national security
十一、業務涉及外交、國防
information.
或國土安全事項。
2. Its business involves matters of foreign issue,
十二、業務涉及全國性民
national defense, or homeland security.
眾服務或跨公務機關
3. Its business involves the maintenance
共用性資通系統之維
運。 operation of information and communication
十三、業務涉及全國性民 system commonly used for nationwide people
眾或公務員個人資料 service or cross agencies.
檔案之持有。 4. Its business involves the possession of
十四、屬公務機關，且業務 personal information of nationwide people or
涉及全國性之能源、水 civil servants.
資源、通訊傳播、交通、 5. It is a government agency, and its business
銀行與金融、緊急救援 involves matters of nationwide energy, water
事項。 resource, telecommunication, transportation,
十五、屬關鍵基礎設施提 banking & finance, or emergent rescue.
供者，且業務經中央目 6. It is a critical infrastructure provider, and the
的事業主管機關考量 central authority in charge of relevant
其提供或維運關鍵基
industry, based on the consideration of the
礎設施服務之用戶數、
number of users, market share, the area and the
市場占有率、區域、可
substitutability of its business or maintenance
替代性，認其資通系統
operation of critical infrastructures and
失效或受影響，對社會
services, considers that the failures of or
公共利益、民心士氣或
民眾生命、身體、財產 impact on its cyber security system might
安全將產生災難性或 cause disasters or extremely serious impact on
非常嚴重之影響。 social public interests, people’s morale, or the
十六、屬公立醫學中心。 security of people’s lives, body or property.
7. It is a government medical center.
第五條各機關有下列情形 Article 5 The cyber security responsibility levels of
級為 B 級：
circumstances are Level-B.
一、業務涉及公務機關捐
1. Its business involves the security maintenance
助或研發之敏感科學
and management of sensitively scientific
技術資訊之安全維護
technology information that is donated,
及管理。
121
二、業務涉及區域性、地區 researched, or developed by the government
性民眾服務或跨公務 agency.
機關共用性資通系統 2. Its business involves the maintenance
之維運。 operation of information and communication
三、業務涉及區域性或地 systems that are commonly used for regional
區性民眾個人資料檔 or local people services or cross agencies.
案之持有。 3. Its business involves the possession of the
四、業務涉及中央二級機
archives of personal information of regional or
關及所屬各級機關
local people.
（構）共用性資通系統
4. Its business involves the maintenance
之維運。
operation of information and communication
五、屬公務機關，且業務涉
systems that are commonly used for the central
及區域性或地區性之
能源、水資源、通訊傳 secondary authority and its subordinate
播、交通、銀行與金融、 government agencies (institutions).
緊急救援事項。 5. It is a government agency, and its business
六、屬關鍵基礎設施提供 involves matters of regional or local energy,
者，且業務經中央目的 water resources, telecommunications,
事業主管機關考量其 transportation, banking & finance, or
提供或維運關鍵基礎 emergent rescues.
設施服務之用戶數、市 6. It is a critical infrastructure provider, and the
場占有率、區域、可替 central authority in charge of relevant
代性，認其資通系統失 industry, based on consideration of the number
效或受影響，對社會公 of users, market share, the area and the
共利益、民心士氣或民 substitutability of its business, or the
眾生命、身體、財產安
maintenance operation of critical
全將產生嚴重影響。
infrastructure and services, considers that the
七、屬公立區域醫院或地
failure of or impacts on its information and
區醫院。
communication system might cause serious
impact on social public interest, people’s
morale, or the security of people’s lives, body
or properties.
7. It is a public regional hospital or local hospital.
第六條各機關維運自行或 Article 6 The cyber security responsibility level
委外開發之資通系統者，其 of each agency who maintains and operates by
資通安全責任等級為 C 級。
itself or outsources the development of
information and communication system is Level-
C.
122
第七條各機關自行辦理資 Article 7 The cyber security responsibility levels of
通業務，未維運自行或委外 each agency who conducts information and
開發之資通系統者，其資通
communication business by itself but does not
安全責任等級為 D 級。
maintain and operate the information and
communication system that is developed by itself or
outsourced for the development is Level-D.
第八條各機關有下列情形 Article 8 The cyber security responsibility level of
級為 E 級：
circumstances is Level-E:
八、無資通系統且未提供
1. It neither has the information and
資通服務。
communication system, nor provides the
九、屬公務機關，且其全
information and communication service.
部資通業務由其上級
2. It is a government agency, and all its
機關、監督機關或上
information and communication business is
開機關指定之公務機
關兼辦或代管。 conducted concurrently or managed by its
十、屬特定非公務機關， superior agency, supervisory agency or the
且其全部資通業務由 agency designated by the agencies mentioned
其中央目的事業主管 above.
機關、中央目的事業 3. It is a specific non-government agency, and all
主管機關所屬公務機 of its information and communication
關、中央目的事業主 business is conducted concurrently or
管機關所管特定非公 managed by its central authority in charge of
務機關，或出資之公 relevant industry, the subordinate government
務機關兼辦或代管。 agency of the central authority in charge of
relevant industry, the specific non-government
agency under their charge by the central
authority in charge of relevant industry, or the
funding government agency.
第九條各機關依第四條至 Article 9 If the cyber security responsibility level of
前條規定，符合二個以上之 each agency conforms to two or above
資通安全責任等級者，其資
requirements under Article 4 to Article 8, the
通安全責任等級列為其符
level of each agency are classified as the highest
合之最高等級。
level conforming to such requirements.
第十條各機關之資通安全 Article 10 The cyber security responsibility level of
責任等級依前六條規定認 each agency shall be determined in accordance
定之。但第三條第一項至第
with the preceding six articles; however, when
五項之公務機關提交或核
the government agency submits or approves the
定資通安全責任等級時，得
考量下列事項對國家安全、 cyber security responsibility level under
123
社會公共利益、人民生命、 Paragraphs 1 to 5 of Article 3, the levels of each
身體、財產安全或公務機關 agency may be adjusted, by taking into
聲譽之影響程度，調整各機
consideration the degree of impact of the
關之等級：
following matters on national security, social
一、業務涉及外交、國防、
public interests, the security of people’s lives,
國土安全、全國性、區
body, properties, or the reputation of the
域性或地區性之能
源、水資源、通訊傳 government agency:
播、交通、銀行與金 1. The business involving foreign issue,
融、緊急救援與醫院 national defense, homeland security, or its
業務者，其中斷或受 business involves nationwide, regional or
妨礙。 local energy, water resource,
二、業務涉及個人資料、 telecommunication, transportation, banking
公務機密或其他依法 and finance, emergent rescues, and hospital
規或契約應秘密之資 are interrupted or impeded.
訊者，其資料、公務機 2. The business involves personal information,
密或其他資訊之數量 official confidentiality, or other information
與性質，及遭受未經 which should be kept confidential by law or
授權之存取、使用、控 contract, the quantity and nature of such
制、洩漏、破壞、竄改、 information, and the unauthorized access, use,
銷毀或其他侵害。 control, breach, damage, tampering,
三、各機關依層級之不 destruction or other infringement.
同，其功能受影響、失 3. The function of each agency is affected,
效或中斷。 disabled or interrupted depending on the
四、其他與資通系統之提 hierachy of the agency.
供、維運、規模或性質 4. Other concrete matters relating to the
相關之具體事項。
provision, maintenance operation, size, or
nature of information and communication
system.
第十一條各機關應依其資 Article 11 Each agency shall conduct the matters

通安全責任等級，辦理附 specified in Schedule 1 to Schedule 8, depending on
表一至附表八之事項。
its cyber security responsibility level.
各機關自行或委外開
For the information and communication
發之資通系統應依附表九
system that is developed by each agency itself or
所定資通系統防護需求分
outsourced for the development, each agency
級原則完成資通系統分級，
shall complete the classification of information
並依附表十所定資通系統
and communication system according to the
防護基準執行控制措施；特
定非公務機關之中央目的 principles of classification of defense
requirements of information and communication
124
事業主管機關就特定類型 system specified in Schedule 9, and shall
資通系統之防護基準認有 implement control measures according to the
另為規定之必要者，得自行 defense standards of information and
擬訂防護基準，報請主管機 communication system specified in Schedule
關核定後，依其規定辦理。 10; if the central authority in charge of relevant
各機關辦理附表一至
industry of a specific non-government agency
附表八所定事項或執行附
considers it is necessary to otherwise provide for
表十所定控制措施，因技
術限制、個別資通系統之 defense standards of specific types of the
設計、結構或性質等因素， information and communication systems, it may
就特定事項或控制措施之 propose by itself the defense standards and report
辦理或執行顯有困難者， such standards to the competent authority for
得經第三條第二項至第四 approval, and shall follow the requirements of
項所定其等級提交機關或
such standards, if approved.
同條第五項所定其等級核
定機關同意，並報請主管 In conducting the matters specified in
機關備查後，免執行該事 Schedule 1 to Schedule 8 or implementing
項或控制措施。 control measures specified in Schedule 10, if
公務機關之資通安全 each agency has apparent difficulties in
責任等級為 A 級或 B 級 conducting or implementing specific matters or
者，應依主管機關指定之
control measures due to such factors as technical
方式，提報第一項及第二
limitation, design, structure or nature of
項事項之辦理情形。
individual information and communication
system, it may, with consent of each agency
submitting its level under Paragraph 2 to
Paragraph 4 of Article 3 or each agency
approving its level under Paragraph 5 of the same
article, and upon reporting to the competent
authority for recordation, be exempted from the
implementation of such matters or control
measures.
The government agency whose cyber
security responsibility level is Level-A or Level-
B shall report the implementation status of
matters under Paragraph 1 and Paragraph 2 in the
manner designated by the competent authority.
第十二條本辦法之施行日 Article 13 The implementation date of the

期，由主管機關定之。 Regulations shall be stipulated by the competent
authority.
125
本辦法修正條文自發 The amendments to the Regulations shall
布日施行。 take effect on the date of promulgation.
126
附表一
附表一資通安全責任等級 A 級之公務機關應辦事項 Schedule 1:Matters to be conducted by the government agency of cyber security responsibility Level-A
System Items Sub-items Contents conducted

制度面向辦理項目辦理項目細項辦理內容 aspect conducted conducted
初次受核定或等級變更後之一年內，針 Within one year after receipt of initial approval or change
對自行或委外開發之資通系統，依附表 of level, the government agency shall complete the
資通系統分級及防護基準九完成資通系統分級，並完成附表十之 classifications of the information and communication
Classification and defense systems developed by itself or outsourced according to
控制措施；其後應每年至少檢視一次資
standards of the information and Schedule 9, and shall complete the control measures
通系統分級妥適性。 communication system specified in Schedule 10; subsequently, the government
初次受核定或等級變更後之二年內，全 agency shall inspect the appropriateness of the
部核心資通系統導入 CNS 27001 或 classification of levels of the information and
ISO 27001 等資訊安全管理系統標準、 communication systems at least once a year.
資訊安全管理系統之導入及通 Within two years after receipt of initial approval or change
其他具有同等或以上效果之系統或標
過公正第三方之驗證 of level, the government agency shall import to all of its
準，或其他公務機關自行發展並經主管
機關認可之標準，於三年內完成公正第 The importation of the core information and communication systems the standards
information security - CNS 27001 or ISO 27001 information security
三方驗證，並持續維持其驗證有效性。
management system and management system, or other systems or standards with
初次受核定或等級變更後之一年內，配 verification by a impartial third equal or better effects, or other standards developed by the
資通安全專責人員
置四人；須以專職人員配置之。 party government agency itself and approved by the competent
內部資通安全稽核每年辦理二次。 authority; within three years of the completion of impartial
管理面 third-party certification, the government agency shall
業務持續運作演練全部核心資通系統每年辦理一次。
資安治理成熟度評估每年辦理一次。 continually maintain the validity of its certification.
Within one year after receipt of initial approval or change
一、除因業務需求且無其他替代方案 Dedicated cyber security
of level, the government agency shall deploy four persons
外，不得採購及使用主管機關核定 Management personnel
on full-time basis.
aspect
之廠商生產、研發、製造或提供之 Internal cyber security audit Conduct twice a year.
危害國家資通安全產品。 Business sustainable operation Conduct once a year for all core information and
rehearsal communication systems.
二、必須採購或使用危害國家資通安
Cyber security governance
限制使用危害國家資通安全產全產品時，應具體敘明理由，經主 Conduct once a year.
maturity assessment
品管機關核可後，以專案方式購置。 4. Except for business needs and no other alternatives, it is
三、對本辦法修正施行前已使用或因 not allowed to purchase and use the threatening national
業務需求且無其他替代方案經主 cyber security products that are produced, researched,
管機關核可採購之危害國家資通 developed, manufactured or provided by the
安全產品，應列冊管理，且不得與 manufacturers approved by the competent authority.
公務網路環境介接。 5. When purchasing or using a threatening national cyber
網站安全弱點 Restricted use of threatening
全部核心資通系統每年辦理二次。 national cyber security products security product, it shall specify the reasons and
安全性檢測檢測
purchase it on a case-by-case basis after receiving
系統滲透測試全部核心資通系統每年辦理一次。
approval from the competent authority.
網路架構檢視
技術面 6. For the threatening national cyber security products that
網路惡意活動
資通安全健每年辦理一次。 was used before the amendment to the Regulation took
檢視
診 effect or that was approved by the competent authority
使用者端電腦
惡意活動檢視 for business needs and have no other alternatives, they
127
伺服器主機惡 should be listed for management and should not be
意活動檢視 interfaced with the official network environment.
目錄伺服器設 Detection of
Conduct twice a year for all core information and
定及防火牆連 website security
communication systems.
線設定檢視 Security vulnerability
初次受核定或等級變更後之一年內，完 detection Testing of
Conduct once a year for all core information and
成威脅偵測機制建置，並持續維運及依 system
資通安全威脅偵測管理機制 communication systems.
penetration
主管機關指定之方式提交監控管理資
Inspection of
料。 network
初次受核定或等級變更後之一年內，依 framework
政府組態基準主管機關公告之項目，完成政府組態基 Inspection of
準導入作業，並持續維運。 cyber malicious
防毒軟體 activity
網路防火牆 Inspection of
malicious
具有郵件伺服器
Cyber activity of user
者，應備電子郵 security terminal
件過濾機制 Conduct once a year.
初次受核定或等級變更後之一年內，完 health computer
入侵偵測及防禦 diagnosis Inspection of
資通安全成各項資通安全防護措施之啟用，並持
機制 malicious
防護續使用及適時進行軟、硬體之必要更新
具有對外服務之 activity of server
或升級。 Inspection of
核心資通系統
者，應備應用程 setting of
Technical directory server
式防火牆
aspect and setting of
進階持續性威脅 firewall
攻擊防禦措施 connection
每人每年至少接受十二小時以上之資 Within one year after receipt of initial approval or change
資通安全專職人 of level, the government agency shall complete the
通安全專業課程訓練或資通安全職能
員 Cyber security threat detection development of threat detection mechanism, and shall
訓練。
management mechanism continue the maintenance and operation thereof and submit
每人每二年至少接受三小時以上之資
資通安全資通安全專職人 the monitoring management documentation in the manner
通安全專業課程訓練或資通安全職能 designated by the competent authority.
教育訓練員以外之資訊人
訓練，且每年接受三小時以上之資通安 Within one year of receipt of initial approval or change of
員
全通識教育訓練。 levels, the government agency shall complete the import
認知 Government configuration
一般使用者及主每人每年接受三小時以上之資通安全 operation of government configuration baseline for the
與訓練 baseline
管通識教育訓練。 items publicized by the competent authority, and shall
初次受核定或等級變更後之一年內，資 continue the maintenance and operation thereof.
資通安全專業證 Anti-virus
通安全專職人員總計應持有四張以上，
資通安全專照 software
並持續維持證照之有效性。 Network firewall Within one year after receipt of approval or change of
業證照及職
初次受核定或等級變更後之一年內，資 Cyber If the government levels, the government agency shall complete activation of
能訓練證書資通安全職能評
通安全專職人員總計應持有四張以上， security agency has email various cyber security defense measures, and continue to
量證書
並持續維持證書之有效性。 defense server, it should use such measures and timely conduct the necessary update
備註： have email or upgrading of software and hardware.
filtering
mechanism
128
一、資通系統之性質為共用性系統者，由該資通系統之主責設置、維護或開發機關判斷 Hacking detection
是否屬於核心資通系統。 and defense
mechanism
二、「公正第三方驗證」所稱第三方，指通過我國標準法主管機關委託機構認證之機構。 If the government
三、危害國家資通安全產品，指對國家資通安全具有直接或間接危害風險，影響政府運 agency has the
作或社會安定之資通系統或資通服務。 core information
四、資通安全專職人員，指應全職執行資通安全業務者。 and
communication
五、公務機關辦理本表「資通安全健診」時，除依本表所定項目、內容及時限執行外，
system for
亦得採取經主管機關認可之其他具有同等或以上效用之措施。 external service, it
六、資通安全專業證照，指由主管機關認可之國內外發證機關（構）所核發之資通安全 should have the
證照。 application
firewall
Defense measure
for advanced
persistent threat
attacks
Each personnel shall receive the cyber security professional
Full-time cyber program training or the cyber security competence training
security personnel for not less than twelve hours each year.
Cyber
security Information Each personnel shall receive the cyber security professional
education personnel other program training or the cyber security competence training
and training than full-time for not less than three hours every two years and receive
cyber security general cyber security education training for not less than
Awareness personnel three hours each year.
and training General user and Each year, each person shall receive general cyber security
officer education training for not less than three hours.
Cyber Cyber security
of level, the full-time cyber security personnel shall held a
security professional
total of not less than four licenses, and shall continually
professional license
maintain the validity of licenses.
license and
Cyber security Within one year after receipt of initial approval or change
competence
competence of level, the full-time cyber security personnel shall hold a
training
assessment total of not less than four certificates, and shall continually
certificate
certificate maintain the validity of certificates.
Notes:
1. If the nature of the information and communication system is a shared one, whether it belonged to the core one, it
shall be judged by the agency in charge of the installation, maintenance or development of such information and
2. The third party as used in “impartial third-party certification” refers to an agency commissioned by the competent
authority for the certification in accordance with the Standards Act of our country.
3. The threatening national cyber security products refer to the Information and communication systems and services
that directly or indirectly harm the operation of the government or social stability.
4. The full-time cyber security personnel refer to the personnel who should implement cyber security businesses in
full-time.
129
5. In conducting “cyber security health diagnosis” of this Schedule, in addition to implementation of the items,
contents and timeframes specified in this Schedule, the government agency may take other measures which have
equal or better effects as approved by the competent authority.
6. Cyber security professional license refer to the cyber security professional license issued by domestic and foreign
issuing authority(entity) recognized by the competent authority.
130
附表二
附表二資通安全責任等級 A 級之特定非公務機關應辦事項 Schedule 2: Matters to be conducted by the specific non-government agency of cyber security responsibility Level-
A
Items Sub-items
制度面向辦理項目辦理項目細項辦理內容 System aspect Contents conducted
conducted conducted
初次受核定或等級變更後之一年內，針 Within one year after receipt of initial approval or change
對自行或委外開發之資通系統，依附表 of level, the specific non-government agency shall complete
資通系統分級及防護基準九完成資通系統分級，並完成附表十之 the classifications of the information and communication
控制措施；其後應每年至少檢視一次資 Classification and defense systems developed by itself or outsourced according to
通系統分級妥適性。 standards of the information Schedule 9, and shall complete the control measures
初次受核定或等級變更後之二年內，全 and communication system specified in Schedule 10; subsequently, the specific non-
部核心資通系統導入 CNS 27001 或 ISO government agency shall inspect the appropriateness of the
classification of levels of the information and
27001 等資訊安全管理系統標準、其他
資訊安全管理系統之導入及通 communication system at least once a year.
具有同等或以上效果之系統或標準，或 Within two years after receipt of initial approval or change
過公正第三方之驗證
其他公務機關自行發展並經主管機關認 of level, the specific non-government agency shall import
可之標準，於三年內完成公正第三方驗 to all of its core information and communication systems
證，並持續維持其驗證有效性。 the standards - CNS 27001 or ISO 27001 information
初次受核定或等級變更後之一年內，配 security management system, or other systems or standards
資通安全專責人員 management system and
置四人。 with equal or better effects, or other standards developed by
the specific non-government agency itself and approved by
管理面內部資通安全稽核每年辦理二次。 party
the competent authority; within three years of the
業務持續運作演練全部核心資通系統每年辦理一次。 completion of impartial third-party certification, the
一、除因業務需求且無其他替代方案 specific non-government agency shall continually maintain
外，不得採購及使用主管機關核定 the validity of its certification.
Management Within one year after receipt of initial approval or change
之廠商生產、研發、製造或提供之 Dedicated cyber security
aspect of level, the specific non-government agency shall deploy
危害國家資通安全產品。 personnel
four persons.
二、須採購或使用危害國家資通安全 Internal cyber security audit Conduct twice a year
限制使用危害國家資通安全產產品時，應具體敘明理由，經主管 Business sustainable operation Conduct once a year for all core information and
品機關核可後，以專案方式購置。 rehearsal communication systems
三、對本辦法修正施行前已使用或因 4. Except for business needs and no other alternatives, it is
業務需求且無其他替代方案經主 not allowed to purchase and use the threatening national
管機關核可採購之危害國家資通 cyber security products that are produced, researched,
安全產品，應列冊管理，且不得與 developed, manufactured or provided by the
公務網路環境介接。 manufacturers approved by the competent authority.
網站安全弱點 5. When purchasing or using a threatening national cyber
全部核心資通系統每年辦理二次。 Restricted use of threatening
安全性檢測檢測 national cyber security products security product, it shall specify the reasons and
系統滲透測試全部核心資通系統每年辦理一次。 purchase it on a case-by-case basis after receiving
網路架構檢視 approval from the competent authority.
技術面
網路惡意活動 6. For the threatening national cyber security products that
資通安全健
檢視每年辦理一次。 was used before the amendment to the Regulation took
診
使用者端電腦 effect or that was approved by the competent authority
131
伺服器主機惡 should be listed for management and should not be
意活動檢視 interfaced with the official network environment.
Conduct twice a year for all core information and
communication systems
線設定檢視 Security vulnerability
資通安全威脅偵測管理機制 Conduct once a year for all core information and
成威脅偵測機制建置，並持續維運。 system
communication systems
penetration
防毒軟體
Inspection of
網路防火牆 network
具有郵件伺服 framework
器者，應備電子 Inspection of
郵件過濾機制 cyber malicious
入侵偵測及防初次受核定或等級變更後之一年內，完 activity
資通安全禦機制成各項資通安全防護措施之啟用，並持 Inspection of
防護續使用及適時進行軟、硬體之必要更新 malicious
具有對外服務
Cyber activity of user
之核心資通系或升級。
security terminal
統者，應備應用 Conduct once a year
health computer
程式防火牆 diagnosis Inspection of
進階持續性威 malicious
脅攻擊防禦措 activity of server
施 Inspection of
setting of
每人每年至少接受十二小時以上之資通
資通安全專責 Technical aspect directory server
安全專業課程訓練或資通安全職能訓 and setting of
人員
練。 firewall
每人每二年至少接受三小時以上之資 connection
資通安全資通安全專責
通安全專業課程訓練或資通安全職能 Within one year after receipt of initial approval or change
教育訓練人員以外之資 Cyber security threat detection of level, the specific non-government agency shall complete
認知訓練，且每年接受三小時以上之資通安
訊人員 management mechanism the development of threat detection mechanism, and shall
與訓練全通識教育訓練。
continue the maintenance and operation thereof.
一般使用者及每人每年接受三小時以上之資通安全通
Anti-virus
主管識教育訓練。 software
初次受核定或等級變更後之一年內，資 Network
資通安全專業證照通安全專責人員總計應持有四張以上， firewall
並持續維持證照之有效性。 If the specific
備註： non-government Within one year after receipt of approval or change of
Cyber agency has levels, the specific non-government agency shall complete
一、資通系統之性質為共用性系統者，由該資通系統之主責設置、維護或開發機關判斷 security email server, it activation of various cyber security defense measures, and
是否屬於核心資通系統。 defense should have continue to use such measures and timely conduct the
二、「公正第三方驗證」所稱第三方，指通過我國標準法主管機關委託機構認證之機構。 email filtering necessary update or upgrading of software and hardware.
三、危害國家資通安全產品，指對國家資通安全具有直接或間接危害風險，影響政府運 mechanism
Hacking
作或社會安定之資通系統或資通服務。
detection and
四、特定非公務機關辦理本表「資通安全健診」時，除依本表所定項目、內容及時限執 defense
行外，亦得採取經中央目的事業主管機關認可之其他具有同等或以上效用之措施。 mechanism
132
五、特定非公務機關之中央目的事業主管機關得視實際需求，於符合本辦法規定之範圍 If the specific
內，另行訂定其所管特定非公務機關之資通安全應辦事項。 non-government
agency has the
六、資通安全專業證照，指由主管機關認可之國內外發證機關（構）所核發之資通安全 core information
證照。 and
communication
system for
external service,
it should have
the application
firewall
Defense
measure for
advanced
persistent threat
attacks
Dedicated cyber
program training or the cyber security competence training
security
for not less than twelve hours each year.
personnel
Cyber
Awareness and and training than dedicated for not less than three hours every two years and receive
training cyber security general cyber security education training for not less than
personnel three hours each year.
General user and Each year, each person shall receive the general cyber
officer security education training for not less than three hours
Cyber security professional of level, the dedicated cyber security personnel shall held a
license total of not less than four licenses, and shall continually
Notes:
7. If the nature of the information and communication system is a shared one, whether it belonged to the core
one, it shall be judged by the agency in charge of the installation, maintenance or development of such
8. The third party as used in “impartial third-party certification” refers to an agency commissioned by the
competent authority for the certification in accordance with the Standards Act of our country.
9. The threatening national cyber security products refer to the Information and communication systems and
services that directly or indirectly harm the operation of the government or social stability.
contents and timeframes specified in this Schedule, the specific non-government agency may take other
measures which have equal or better effects as approved by the central authority in charge of relevant industry.
11. The central authority in charge of relevant industry of the specific non-government agency may, depending
on the actual requirements and to the extent of compliance with these Regulations, otherwise provide for the
cyber security matters to be conducted by its regulated specific non-government agency.
133
12. Cyber security professional license refer to the cyber security professional license issued by domestic and
foreign issuing authority(entity) recognized by the competent authority.
附表三
附表三資通安全責任等級 B 級之公務機關應辦事項 Schedule 3: Matters to be conducted by the government agency of cyber security responsibility Level-B
制度面向辦理項目辦理項目細項辦理內容 Items Sub-items

初次受核定或等級變更後之一年內，針 conducted conducted
對自行或委外開發之資通系統，依附表
of level, the government agency shall complete the
資通系統分級及防護基準九完成資通系統分級，並完成附表十之 classifications of the information and communication
控制措施；其後應每年至少檢視一次資 Classification and defense systems developed by itself or outsourced according to
通系統分級妥適性。 standards of the information and Schedule 9, and shall complete the control measures
初次受核定或等級變更後之二年內，全 communication system specified in Schedule 10; subsequently, the government
部核心資通系統導入 CNS 27001 或 ISO agency shall inspect the appropriateness of the classification
27001 等資訊安全管理系統標準、其他具 of levels of information and communication system at least
資訊安全管理系統之導入及通 once a year.
有同等或以上效果之系統或標準，或其
過公正第三方之驗證 Within two years after receipt of initial approval or change
他公務機關自行發展並經主管機關認可
of level, the government agency shall import to all of its
之標準，於三年內完成公正第三方驗證， core information and communication systems the standards
並持續維持其驗證有效性。 The importation of the
- CNS 27001 or ISO 27001 information security
初次受核定或等級變更後之一年內，配 information security management
management system, or other systems or standards with
資通安全專責人員 system and verification by a
置二人；須以專職人員配置之。 equal or better effects, or other standards developed by the
impartial third party
內部資通安全稽核每年辦理一次。 government agency itself and approved by the competent
管理面 authority; within three years of the completion of impartial
業務持續運作演練全部核心資通系統每二年辦理一次。
third-party certification, the government agency shall
資安治理成熟度評估每年辦理一次。
Management continually maintain the validity of its certification.
一、除因業務需求且無其他替代方案 aspect Within one year after receipt of initial approval or change
Dedicated cyber security
外，不得採購及使用主管機關核定 personnel
of level, the government agency shall deploy two persons
之廠商生產、研發、製造或提供之 on full-time basis.
Internal cyber security audit Conduct once a year.
危害國家資通安全產品。
Business sustainable operation Conduct once every two years for all core information and
二、須採購或使用危害國家資通安全產 rehearsal communication systems.
限制使用危害國家資通安全產品時，應具體敘明理由，經主管機 Cyber security governance
品關核可後，以專案方式購置。 maturity assessment
三、對本辦法修正施行前已使用或因 4. Except for business needs and no other alternatives, it is
業務需求且無其他替代方案經主 not allowed to purchase and use the threatening national
管機關核可採購之危害國家資通 cyber security products that are produced, researched,
安全產品，應列冊管理，且不得與 developed, manufactured or provided by the
公務網路環境介接。 national cyber security products manufacturers approved by the competent authority.
網站安全弱點 5. When purchasing or using a threatening national cyber
全部核心資通系統每年辦理一次。
安全性檢測檢測 security product, it shall specify the reasons and
技術面
系統滲透測試全部核心資通系統每二年辦理一次。 purchase it on a case-by-case basis after receiving
網路架構檢視每二年辦理一次。 approval from the competent authority.
134
網路惡意活動 6. For the threatening national cyber security products that
檢視 was used before the amendment to the Regulation took
使用者端電腦 effect or that was approved by the competent authority
資通安全健
伺服器主機惡
診 should be listed for management and should not be
意活動檢視
interfaced with the official network environment.
目錄伺服器設
Detection of
定及防火牆連 Conduct once a year for all core information and
website security
線設定檢視 communication systems.
Security vulnerability
Conduct once every two years for all core information and
成威脅偵測機制建置，並持續維運及依 system
資通安全威脅偵測管理機制 penetration
主管機關指定之方式提交監控管理資
料。 Inspection of
初次受核定或等級變更後之一年內，依 network
framework
政府組態基準主管機關公告之項目，完成政府組態基
Inspection of
準導入作業，並持續維運。 cyber malicious
防毒軟體 activity
具有郵件伺服 malicious
器者，應備電子 activity of user
初次受核定或等級變更後之一年內，完 Cyber security terminal
郵件過濾機制
資通安全成各項資通安全防護措施之啟用，並持 health computer Conduct once every two years.
入侵偵測及防
防護續使用及適時進行軟、硬體之必要更新 diagnosis Inspection of
禦機制 malicious
或升級。
具有對外服務 activity of
Technical
之核心資通系 servers
aspect
統者，應備應用 Inspection of
程式防火牆 setting of
directory server
每人每年至少接受十二小時以上之資通
資通安全專職 and setting of
安全專業課程訓練或資通安全職能訓 firewall
人員
練。 connection
每人每二年至少接受三小時以上之資 Within one year after receipt of initial approval or change
資通安全資通安全專職
通安全專業課程訓練或資通安全職能 of level, the government agency shall complete the
教育訓練人員以外之資
訓練，且每年接受三小時以上之資通安 Cyber security threat detection development of threat detection mechanism, and shall
訊人員 management mechanism continue the maintenance and operation thereof and submit
全通識教育訓練。
認知 the monitoring management documentation in the manner
一般使用者及每人每年接受三小時以上之資通安全通
與訓練 designated by the competent authority.
主管識教育訓練。 Within one year of receipt of initial approval or change of
初次受核定或等級變更後之一年內，資 levels, the government agency shall complete the import
資通安全專業 Government configuration
通安全專職人員總計應持有二張以上， operation of government configuration baseline for the
資通安全專證照 baseline
並持續維持證照之有效性。 items publicized by the competent authority, and shall
業證照及職 continue the maintenance and operation thereof.
初次受核定或等級變更後之一年內，資
能訓練證書資通安全職能 Cyber Anti-virus Within one year after receipt of approval or change of
通安全專職人員總計應持有二張以上，
評量證書 security software levels, the government agency shall complete activation of
並持續維持證書之有效性。
defense Network firewall various cyber security defense measures, and continue to
備註：
135
一、資通系統之性質為共用性系統者，由該資通系統之主責設置、維護或開發機關判斷 If government use such measures and timely conduct the necessary update
是否屬於核心資通系統。 agency has email or upgrading of software and hardware.
server, it should
二、「公正第三方驗證」所稱第三方，指通過我國標準法主管機關委託機構認證之機構。 have email
三、危害國家資通安全產品，指對國家資通安全具有直接或間接危害風險，影響政府運 filtering
作或社會安定之資通系統或資通服務。 mechanism
四、資通安全專職人員，指應全職執行資通安全業務者。 Hacking detection
and defense
五、公務機關辦理本表「資通安全健診」時，除依本表所定項目、內容及時限執行外，
mechanism
亦得採取經主管機關認可之其他具有同等或以上效用之措施。 If the government
六、資通安全專業證照，指由主管機關認可之國內外發證機關（構）所核發之資通安全 agency has the
證照。 core information
and
communication
system for
external service, it
should have the
application
firewall
Full-time cyber program training or the cyber security competence training
security personnel for not less than twelve hours each year.
Cyber
and training than full-time for not less than three hours every two years and receive
cyber security general cyber security education training for not less than
Awareness personnel three hours each year.
and training General user and Each year, each person shall receive the general cyber
officer security education training for not less than three hours
Cyber Cyber security
of level, the full-time cyber security personnel shall held a
security professional
total of not less than two licenses, and shall continually
professional license
license and
Cyber security Within one year after receipt of initial approval or change
competence
competence of level, the full-time cyber security personnel shall held a
training
assessment total of not less than two licenses, and shall continually
certificate
certificate maintain the validity of certificates.
Notes:
136
10. The full-time cyber security personnel refer to the personnel who should implement cyber security businesses
in full-time.
contents and timeframes specified in this Schedule, the government agency may take other measures which
have equal or better effects as approved by the competent authority.
137
附表四
附表四資通安全責任等級 B 級之特定非公務機關應辦事項 Schedule 4: Matters to be conducted by the specific non-government agency of cyber security responsibility Level-
B

制度面向辦理項目辦理項目細項辦理內容 Contents conducted
初次受核定或等級變更後之一年內，針 Within one year after receipt of initial approval or change of
對自行或委外開發之資通系統，依附表 level, the specific non-government agency shall complete the
資通系統分級及防護基準九完成資通系統分級，並完成附表十之 classifications of the information and communication systems
Classification and defense
控制措施；其後應每年至少檢視一次資 developed by itself or outsourced according to Schedule 9, and
standards of the information
通系統分級妥適性。 shall complete the control measures specified in Schedule 10;
and communication system
subsequently, the specific non-government agency shall inspect
初次受核定或等級變更後之二年內，全
the appropriateness of the classification of levels of information
部核心資通系統導入 CNS 27001 或 ISO and communication systems at least once a year.
27001 等資訊安全管理系統標準、其他具 Within two years after receipt of initial approval or change of
資訊安全管理系統之導入及通
有同等或以上效果之系統或標準，或其 level, the specific non-government agency shall import to all of
過公正第三方之驗證
他公務機關自行發展並經主管機關認可 The importation of the its core information and communication systems the standards
之標準，於三年內完成公正第三方驗證， information security - CNS 27001 or ISO 27001 information security management
並持續維持其驗證有效性。 management system and system, or other systems or standards with equal or better
初次受核定或等級變更後之一年內，配 verification by a impartial third effects, or other standards developed by the specific non-
資通安全專責人員 party government agency itself and approved by the competent
置二人。
authority; within three years of the completion of impartial
管理面內部資通安全稽核每年辦理一次。 third-party certification, the specific non-government agency
業務持續運作演練全部核心資通系統每二年辦理一次。 shall continually maintain the validity of its certification.
一、除因業務需求且無其他替代方案 Within one year after receipt of initial approval or change of
Dedicated cyber security
外，不得採購及使用主管機關核定 level, the specific non-government agency shall deploy two
personnel
Management persons.
之廠商生產、研發、製造或提供之
aspect Internal cyber security audit Conduct once a year.
危害國家資通安全產品。 Business sustainable operation Conduct once every two years for all core information and
二、須採購或使用危害國家資通安全產 rehearsal communication systems.
限制使用危害國家資通安全產品時，應具體敘明理由，經主管機 4. Except for business needs and no other alternatives, it is not
品關核可後，以專案方式購置。 allowed to purchase and use the threatening national cyber
三、對本辦法修正施行前已使用或因 security products that are produced, researched, developed,
業務需求且無其他替代方案經主 manufactured or provided by the manufacturers approved
管機關核可採購之危害國家資通 by the competent authority.
安全產品，應列冊管理，且不得與 5. When purchasing or using a threatening national cyber
公務網路環境介接。 security product, it shall specify the reasons and purchase it
網站安全弱點 on a case-by-case basis after receiving approval from the
全部核心資通系統每年辦理一次。 national cyber security products
安全性檢測檢測 competent authority.
系統滲透測試全部核心資通系統每二年辦理一次。 6. For the threatening national cyber security products that
網路架構檢視 was used before the amendment to the Regulation took
技術面
網路惡意活動 effect or that was approved by the competent authority for
資通安全健
檢視每二年辦理一次。
診 business needs and have no other alternatives, they should
使用者端電腦
be listed for management and should not be interfaced with
惡意活動檢視
138
伺服器主機惡 Detection of
Conduct once a year for all core information and
意活動檢視 website security
Security communication systems.
目錄伺服器設 vulnerability
detection
Testing of system Conduct once every two years for all core information and
定及防火牆連
penetration communication systems.
線設定檢視
Inspection of
初次受核定或等級變更後之一年內，完 network
資通安全威脅偵測管理機制
成威脅偵測機制建置，並持續維運。 framework
防毒軟體 Inspection of
網路防火牆 cyber malicious
具有郵件伺服 activity
器者，應備電子 Inspection of
初次受核定或等級變更後之一年內，完 malicious activity
郵件過濾機制 Cyber
資通安全成各項資通安全防護措施之啟用，並持 security
of user terminal
入侵偵測及防 computer Conduct once every two years.
防護續使用及適時進行軟、硬體之必要更新 health
禦機制 Inspection of
或升級。 diagnosis
具有對外服務 malicious activity
之核心資通系 of server
統者，應備應用 Inspection of
程式防火牆 setting of
directory server
每人每年至少接受十二小時以上之資通 and setting of
資通安全專責
安全專業課程訓練或資通安全職能訓 firewall
人員
練。 connection
Technical
每人每二年至少接受三小時以上之資 Within one year after receipt of initial approval or change of
資通安全資通安全專責 aspect
通安全專業課程訓練或資通安全職能 Cyber security threat detection levels, the specific non-government agency shall complete the
教育訓練人員以外之資 management mechanism development of threat detection mechanisms, and shall
認知訓練，且每年接受三小時以上之資通安
訊人員 continue the maintenance and operation thereof.
與訓練全通識教育訓練。
Anti-virus
一般使用者及每人每年接受三小時以上之資通安全通 software
主管識教育訓練。 Network firewall
初次受核定或等級變更後之一年內，資 If the specific
資通安全專業證照通安全專責人員總計應持有二張以上， non-government
並持續維持證照之有效性。 agency has email
server, it should
備註：
have email
一、資通系統之性質為共用性系統者，由該資通系統之主責設置、維護或開發機關判斷 filtering Within one year after receipt of approval or change of levels,
是否屬於核心資通系統。 Cyber mechanism the specific non-government agency shall complete activation
二、「公正第三方驗證」所稱第三方，指通過我國標準法主管機關委託機構認證之機構。 security Hacking of various cyber security defense measures, and continue to use
三、危害國家資通安全產品，指對國家資通安全具有直接或間接危害風險，影響政府運 defense detection and such measures and timely conduct the necessary update or
defense upgrading of software and hardware.
作或社會安定之資通系統或資通服務。 mechanism
四、特定非公務機關辦理本表「資通安全健診」時，除依本表所定項目、內容及時限執 If the specific
行外，亦得採取經中央目的事業主管機關認可之其他具有同等或以上效用之措施。 non-government
五、特定非公務機關之中央目的事業主管機關得視實際需求，於符合本辦法規定之範圍 agency has the
core information
內，另行訂定其所管特定非公務機關之資通安全應辦事項。
and
六、資通安全專業證照，指由主管機關認可之國內外發證機關（構）所核發之資通安全 communication
證照。 system for
139
external service,
it should have the
application
firewall
Dedicated cyber
program training or the cyber security competence training for
security
not less than twelve hours each year.
personnel
Cyber
education personnel other program training or the cyber security competence training for
and than dedicated not less than three hours every two years and receive general
Awareness
training cyber security cyber security education training for not less than three hours
and training
personnel each year.
General user and Each year, each person shall receive the general cyber security
Within one year after receipt of initial approval or change of
Cyber security professional level, the dedicated cyber security personnel shall held a total
license of not less than two licenses, and shall continually maintain the
validity of the licenses.
Notes:
measures which have equal or better effects as approved by the central authority in charge of relevant industry.
11. The central authority in charge of relevant industry of the specific non-government agency may, depending
on actual requirements and to the extent of compliance with requirements of these Regulations, otherwise
provide for the cyber security matters to be conducted by its regulated specific non-government agency.
140
附表五
附表五資通安全責任等級 C 級之公務機關應辦事項 Schedule 5: Matters to be conducted by the government agency of cyber security responsibility Level-C
制度面向辦理項目辦理項目細項辦理內容 System aspect

Items Sub-items
Contents conducted
初次受核定或等級變更後之一年內，針 conducted conducted
對自行或委外開發之資通系統，依附表 Within one year after receipt of initial approval or change of
level, the government agency shall complete the classifications
九完成資通系統分級，其後應每年至少
of the information and communication systems developed by
資通系統分級及防護基準檢視一次資通系統分級妥適性；系統等 itself or outsourced according to Schedule 9; subsequently, the
級為「高」者，應於初次受核定或等級 Classification and defense
government agency shall inspect the appropriateness of the
變更後之二年內，完成附表十之控制措 standards of the information
classification of levels of information and communication
施。 systems at least once a year. If the system levels are “high”, the
初次受核定或等級變更後之二年內，全 government agency shall, within two years of receipt of initial
部核心資通系統導入 CNS 27001 或 approval or change of levels, complete the control measures
specified in Schedule 10.
ISO 27001 等資訊安全管理系統標準、
資訊安全管理系統之導入 Within two years after receipt of initial approval or change of
level, the government agency shall import to all of its core
準，或其他公務機關自行發展並經主管 information and communication systems the standards - CNS
機關認可之標準，並持續維持導入。 The importation of the
27001 or ISO 27001 information security management system,
初次受核定或等級變更後之一年內，配 or other systems or standards with equal or better effects, or
資通安全專責人員 management system
置一人；須以專職人員配置之。 other standards developed by the government agency itself and
管理面 approved by the competent authority, and shall continually
內部資通安全稽核每二年辦理一次。
業務持續運作演練全部核心資通系統每二年辦理一次。 maintain the importation thereof.
一、除因業務需求且無其他替代方案 Dedicated cyber security
level, the government agency shall deploy one person on full-
personnel
外，不得採購及使用主管機關核定 Management time basis.
之廠商生產、研發、製造或提供之 aspect Internal cyber security audit Conduct once every two years.
危害國家資通安全產品。 Business sustainable Conduct once every two years for all core information and
operation rehearsal communication systems.
二、須採購或使用危害國家資通安全
4. Except for business needs and no other alternatives, it is not
限制使用危害國家資通安全產產品時，應具體敘明理由，經主管
品 allowed to purchase and use the threatening national cyber
機關核可後，以專案方式購置。
security products that are produced, researched, developed,
三、對本辦法修正施行前已使用或因
manufactured or provided by the manufacturers approved
業務需求且無其他替代方案經主
管機關核可採購之危害國家資通
5. When purchasing or using a threatening national cyber
安全產品，應列冊管理，且不得與
Restricted use of threatening security product, it shall specify the reasons and purchase it
公務網路環境介接。
national cyber security on a case-by-case basis after receiving approval from the
網站安全弱點
全部核心資通系統每二年辦理一次。 products competent authority.
安全性檢測檢測
系統滲透測試全部核心資通系統每二年辦理一次。 6. For the threatening national cyber security products that
網路架構檢視 was used before the amendment to the Regulation took
技術面
網路惡意活動 effect or that was approved by the competent authority for
資通安全健
檢視每二年辦理一次。 business needs and have no other alternatives, they should
診
使用者端電腦 be listed for management and should not be interfaced with
惡意活動檢視 the official network environment.
141
伺服器主機惡 Detection of
意活動檢視 website Conduct once every two years for all core information and
目錄伺服器設 security communication systems.
Security
vulnerability
定及防火牆連 detection
Testing of
線設定檢視 Conduct once every two years for all core information and
system
防毒軟體 penetration
初次受核定或等級變更後之一年內，完 Inspection of
資通安全網路防火牆成各項資通安全防護措施之啟用，並持 network
防護具有郵件伺服續使用及適時進行軟、硬體之必要更新 framework
器者，應備電子或升級。 Inspection of
cyber
郵件過濾機制
malicious
每人每年至少接受十二小時以上之資 activitiy
資通安全專職
通安全專業課程訓練或資通安全職能 Inspection of
人員
訓練。 malicious
每人每二年至少接受三小時以上之資 activity of user
資通安全資通安全專職 Cyber
通安全專業課程訓練或資通安全職能 terminal
教育訓練 security
人員以外之資 computer Conduct once every two years.
訓練，且每年接受三小時以上之資通安 health
訊人員 Technical Inspection of
認知全通識教育訓練。 aspect
diagnosis
malicious
與訓練一般使用者及每人每年接受三小時以上之資通安全 activity of
主管通識教育訓練。 server
資通安全專業資通安全專職人員總計應持有一張以 Inspection of
資通安全專證照上，並持續維持證書之有效性。 setting of
業證照及職初次受核定或等級變更後之一年內，資 directory
資通安全職能 server and
能訓練證書通安全專職人員總計應持有一張以上，
評量證書 setting of
並持續維持證書之有效性。 firewall
備註： connection
一、資通系統之性質為共用性系統者，由該資通系統之主責設置、維護或開發機關判斷 Anti-virus
是否屬於核心資通系統。 software
Network
二、危害國家資通安全產品，指對國家資通安全具有直接或間接危害風險，影響政府運 firewall
Within one year after receipt of approval or change of levels,
作或社會安定之資通系統或資通服務。 Cyber the government agency shall complete activation of various
If government
security cyber security defense measures, and continue to use such
三、資通安全專職人員，指應全職執行資通安全業務者。 agency has
defense measures and timely conduct the necessary update or upgrading
四、公務機關辦理本表「資通安全健診」時，除依本表所定項目、內容及時限執行外， email server, it
of software and hardware.
should have
亦得採取經主管機關認可之其他具有同等或以上效用之措施。
email filtering
五、資通安全專業證照，指由主管機關認可之國內外發證機關（構）所核發之資通安全 mechanism
證照。 Each personnel shall receive the cyber security professional
Full-time
cyber security
Cyber not less than twelve hours each year.
personnel
Awareness security
and training education Information
and training Each personnel shall receive the cyber security professional
personnel
other than full-
not less than three hours every two years and receive general
time cyber
142
security cyber security education training for not less than three hours
General user Each year, each person shall receive the general cyber security
and officer education training for not less than three hours.
Cyber Cyber security The full-time cyber security personnel shall hold a total of not
security professional less than one license, and shall continually maintain the validity
professional license of licenses.
license and Cyber security Within one year after receipt of initial approval or change of
competence competence level, the full-time cyber security personnel shall held a total of
training assessment not less than one certificate, and shall continually maintain the
certificate certificate validity of certificate.
Notes:
8. The full-time cyber security personnel refer to the personnel who should implement cyber security businesses
in full-time.
contents and timeframes specified in this Schedule, the government agency may take other measures which
have equal or better effects as approved by the competent authority.
143
附表六
附表六資通安全責任等級 C 級之特定非公務機關應辦事項 Schedule 6: Matters to be conducted by the specific non-government agency of cyber security responsibility Level-
C
制度面向辦理項目辦理項目細項辦理內容 System Items Sub-items

Contents conducted
初次受核定或等級變更後之一年內，針 aspect conducted conducted
對自行或委外開發之資通系統，依附表 Within one year after receipt of initial approval or change of
九完成資通系統分級，其後應每年至少 level, the specific non-government agency shall complete the
資通系統分級及防護基準檢視一次資通系統分級妥適性；系統等 classifications of levels of the information and communication
systems developed by itself or outsourced according to
級為「高」者，應於初次受核定或等級
Classification and defense Schedule 9; subsequently, the specific non-government agency
變更後之二年內，完成附表十之控制措 standards of the information shall inspect the appropriateness of the classification of levels
施。 and communication system of information and communication systems at least once a year.
初次受核定或等級變更後之二年內，全 If the system levels are “high”, the specific non-government
部核心資通系統導入 CNS 27001 或 agency shall, within two years of receipt of initial approval or
ISO 27001 等資訊安全管理系統標準、 change of levels, complete the control measures specified in
資訊安全管理系統之導入 Schedule 10.
準，或其他公務機關自行發展並經主管 Within two years after receipt of initial approval or change of
level, the specific non-government agency shall import to all of
機關認可之標準，並持續維持導入。
its core information and communication systems the standards
初次受核定或等級變更後之一年內，配 The importation of the - CNS 27001 or ISO 27001 information security management
資通安全專責人員
置一人。 information security system, or other systems or standards with equal or better
管理面
內部資通安全稽核每二年辦理一次。 management system effects, or other standards developed by the specific non-
業務持續運作演練全部核心資通系統每二年辦理一次。 government agency itself and approved by the competent
authority, and shall continually maintain the importation
一、除因業務需求且無其他替代方案
thereof.
外，不得採購及使用主管機關核定 Management Within one year after receipt of initial approval or change of
之廠商生產、研發、製造或提供之 Dedicated cyber security
aspect level, the specific non-government agency shall deploy one
personnel
危害國家資通安全產品。 person.
二、須採購或使用危害國家資通安全 Internal cyber security audit Conduct once every two years.
Business sustainable operation Conduct once every two years for all core information and
限制使用危害國家資通安全產產品時，應具體敘明理由，經主管
rehearsal communication systems.
品機關核可後，以專案方式購置。
4. Except for business needs and no other alternatives, it is not
三、對本辦法修正施行前已使用或因
allowed to purchase and use the threatening national cyber
業務需求且無其他替代方案經主
security products that are produced, researched, developed,
管機關核可採購之危害國家資通
manufactured or provided by the manufacturers approved
安全產品，應列冊管理，且不得與
公務網路環境介接。
5. When purchasing or using a threatening national cyber
網站安全弱點 Restricted use of threatening
全部核心資通系統每二年辦理一次。 security product, it shall specify the reasons and purchase it
安全性檢測檢測 national cyber security products
on a case-by-case basis after receiving approval from the
系統滲透測試全部核心資通系統每二年辦理一次。
網路架構檢視
技術面 6. For the threatening national cyber security products that was
網路惡意活動
資通安全健 used before the amendment to the Regulation took effect or
檢視每二年辦理一次。
診 that was approved by the competent authority for business
使用者端電腦
惡意活動檢視 needs and have no other alternatives, they should be listed
144
伺服器主機惡 for management and should not be interfaced with the
意活動檢視 official network environment.
Conduct once every two years for all core information and
Security communication systems.
線設定檢視 detection
vulnerability
Testing of system Conduct once every two years for all core information and
防毒軟體 penetration communication systems.
初次受核定或等級變更後之一年內，完
資通安全成各項資通安全防護措施之啟用，並持
network
防護具有郵件伺服續使用及適時進行軟、硬體之必要更新 framework
器者，應備電子或升級。 Inspection of
郵件過濾機制 cyber malicious
每人每年至少接受十二小時以上之資 activity
資通安全專責 Inspection of
通安全專業課程訓練或資通安全職能
人員 malicious
訓練。
activities of user
每人每二年至少接受三小時以上之資 Cyber
資通安全資通安全專責 terminal
通安全專業課程訓練或資通安全職能 security
教育訓練 computer Conduct once every two years.
人員以外之資 health
認知訓練，且每年接受三小時以上之資通安 Inspection of
訊人員 diagnosis
與訓練全通識教育訓練。 Technical malicious
一般使用者及每人每年接受三小時以上之資通安全 aspect activities of
server
主管通識教育訓練。
Inspection of
初次受核定或等級變更後之一年內，資 setting of
資通安全專業證照通安全專責人員總計應持有一張以上， directory server
並持續維持證照之有效性。 and setting of
備註： firewall
一、資通系統之性質為共用性系統者，由該資通系統之主責設置、維護或開發機關判斷 connection
Anti-virus
是否屬於核心資通系統。 software
二、危害國家資通安全產品，指對國家資通安全具有直接或間接危害風險，影響政府運
Network firewall
作或社會安定之資通系統或資通服務。 Within one year after receipt of approval or change of levels,
Cyber If the specific the specific non-government agency shall complete activation
三、特定非公務機關辦理本表「資通安全健診」時，除依本表所定項目、內容及時限執
security non-government of various cyber security defense measures, and continue to use
行外，亦得採取經中央目的事業主管機關認可之其他具有同等或以上效用之措施。 defense agency has email such measures and timely conduct the necessary update or
四、特定非公務機關之中央目的事業主管機關得視實際需求，於符合本辦法規定之範圍 server, it should upgrading of software and hardware.
內，另行訂定其所管特定非公務機關之資通安全應辦事項。 have email
filtering
五、資通安全專業證照，指由主管機關認可之國內外發證機關（構）所核發之資通安全
mechanism
證照。 Each personnel shall receive the cyber security professional
Dedicated cyber
security
Cyber not less than twelve hours each year.
personnel
security
Awareness
education Information Each personnel shall receive the cyber security professional
and training
and personnel other program training or the cyber security competence training for
training than dedicated not less than three hours every two years and receive general
cyber security cyber security education training for not less than three hours
145
General user and Each year, each person shall receive the general cyber security
Cyber security professional level, the dedicated cyber security personnel shall held a total
license of not less than one license, and shall continually maintain the
validity of license.
Notes:
measures which have equal or better effects as approved by central authority in charge of relevant industry.
9. The central authority in charge of relevant industry of the specific non-government agency may, depending on
actual requirements and to the extent of compliance with requirements of these Regulations, otherwise provide
for the cyber security matters to be conducted by its regulated specific non-government agency.
146
附表七
附表七資通安全責任等級 D 級之各機關應辦事項 Schedule 7: Matters to be conducted by each agency of cyber security responsibility Level-D
制度面向辦理項目辦理項目細項辦理內容 System Items

一、除因業務需求且無其他替代方案 aspect conducted
外，不得採購及使用主管機關核定 4. Except for business needs and no other
之廠商生產、研發、製造或提供之 alternatives, it is not allowed to purchase and use
危害國家資通安全產品。 the threatening national cyber security products
二、須採購或使用危害國家資通安全 that are produced, researched, developed,
限制使用危害國家資通安全產產品時，應具體敘明理由，經主管 manufactured or provided by the manufacturers
管理面 approved by the competent authority.
品機關核可後，以專案方式購置。
三、對本辦法修正施行前已使用或因 5. When purchasing or using a threatening national
業務需求且無其他替代方案經主 cyber security product, it shall specify the reasons
Manageme Restricted use of threatening national
管機關核可採購之危害國家資通 nt aspect cyber security products and purchase it on a case-by-case basis after
安全產品，應列冊管理，且不得與 receiving approval from the competent authority.
公務網路環境介接。 6. For the threatening national cyber security
products that was used before the amendment to
防毒軟體
初次受核定或等級變更後之一年內，完 the Regulation took effect or that was approved by
資通安全網路防火牆成各項資通安全防護措施之啟用，並持 the competent authority for business needs and
技術面 have no other alternatives, they should be listed for
防護具有郵件伺服續使用及適時進行軟、硬體之必要更新
器者，應備電子或升級。 management and should not be interfaced with the
郵件過濾機制 official network environment.
Anti-virus software
認知資通安全一般使用者及每人每年接受三小時以上之一般資通
Within one year after receipt of approval or change of
與訓練教育訓練主管安全教育訓練。 Cyber Network firewall levels, each agency shall complete activation of
Technical
security If each agency has email various cyber security defense measures, and continue
備註：特定非公務機關之中央目的事業主管機關得視實際需求，於符合本辦法規定之範 aspect
defense server, it should have to use such measures and timely conduct the necessary
圍內，另行訂定其所管特定非公務機關之資通安全應辦事項。
email filtering update or upgrading of software and hardware.
mechanism
Cyber Each year, each person shall receive the general cyber
Awareness security
General user and officer security education training for not less than three
and training education
and training hours.
Note: The central authority in charge of relevant industry of the specific non-government agency may, depending on
actual requirements and to the extent of compliance with requirements of these Regulations, otherwise provide for the
cyber security matters to be conducted by its regulated specific non-government agency.
147
附表八
附表八資通安全責任等級 E 級之各機關應辦事項 Schedule 8: Matters to be conducted by each agency of cyber security responsibility Level-E
制度面向辦理項目辦理項目細項辦理內容 System aspect Items conducted Sub-items conducted Contents conducted
一、除因業務需求且無其他替代方案 4. Except for business needs and no
外，不得採購及使用主管機關核定 other alternatives, it is not allowed
之廠商生產、研發、製造或提供之 to purchase and use the
危害國家資通安全產品。 threatening national cyber
二、須採購或使用危害國家資通安全 security products that are
限制使用危害國家資通安全產產品時，應具體敘明理由，經主管 produced, researched, developed,
管理面
品機關核可後，以專案方式購置。 manufactured or provided by the
三、對本辦法修正施行前已使用或因 manufacturers approved by the
業務需求且無其他替代方案經主 competent authority.
管機關核可採購之危害國家資通 5. When purchasing or using a
安全產品，應列冊管理，且不得與 threatening national cyber
公務網路環境介接。 security product, it shall specify
Restricted use of threatening national cyber the reasons and purchase it on a
認知資通安全一般使用者及每人每年接受三小時以上之一般資通 Management aspect
security products case-by-case basis after receiving
與訓練教育訓練主管安全教育訓練。
approval from the competent
備註：特定非公務機關之中央目的事業主管機關得視實際需求，於符合本辦法規定之範 authority.
圍內，另行訂定其所管特定非公務機關之資通安全應辦事項。 6. For the threatening national cyber
Cyber security General user and Each year, each person shall receive
Awareness and
education and the general cyber security education
training
training officer
training for not less than three hours.
Note: The central authority in charge of relevant industry of the specific non-government agency may, depending on
actual requirements and to the extent of compliance with requirements of these Regulations, otherwise
provide for the cyber security matters to be conducted by its regulated specific non-government agency.
148
附表九
附表九資通系統防護需求分級原則 Schedule 9: Principles of classification of levels of defense requirements of information
防護需求 Defense
等級高中普 requirements
Levels High Medium Common
構面
Dimension
發生資通安全事件致資發生資通安全事件致資發生資通安全事件致資
通系統受影響時，可能通系統受影響時，可能通系統受影響時，可能 security incident security incident resulting security incident resulting
造成未經授權之資訊揭造成未經授權之資訊揭造成未經授權之資訊揭 resulting in impact on in impact on information in impact on information
機密性露，對機關之營運、資產露，對機關之營運、資產露，對機關之營運、資產 information and and communication and communication
或信譽等方面將產生非或信譽等方面將產生嚴或信譽等方面將產生有 communication system system might cause system might cause
常嚴重或災難性之影重之影響。限之影響。 Confidentiality
might cause unauthorized disclosure unauthorized disclosure
響。 unauthorized disclosure of information, leading to of information, leading to
of information, leading serious impact on the limited impact on the
發生資通安全事件致資發生資通安全事件致資發生資通安全事件致資 to very serious or operation, asset or operation, asset or
通系統受影響時，可能通系統受影響時，可能通系統受影響時，可能 disastrous impact on the reputation of the agency. reputation of the agency.
造成資訊錯誤或遭竄改造成資訊錯誤或遭竄改造成資訊錯誤或遭竄改 operation, asset or
完整性等情事，對機關之營運、等情事，對機關之營運、等情事，對機關之營運、 reputation of the agency.
資產或信譽等方面將產資產或信譽等方面將產資產或信譽等方面將產 The occurrence of cyber The occurrence of cyber The occurrence of cyber
生非常嚴重或災難性之生嚴重之影響。生有限之影響。 security incident security incident resulting security incident resulting
影響。 in impact on information in impact on information
resulting in impact on and communication and communication
發生資通安全事件致資發生資通安全事件致資發生資通安全事件致資 information and system might cause the system might cause the
通系統受影響時，可能通系統受影響時，可能通系統受影響時，可能
communication system error or tampering of the error or tampering of the
造成對資訊、資通系統造成對資訊、資通系統造成對資訊、資通系統 information, leading to information, leading to
might cause the error or
可用性之存取或使用之中斷，之存取或使用之中斷，之存取或使用之中斷， serious impact on the limit impact on the
Integrity tampering of the
對機關之營運、資產或對機關之營運、資產或對機關之營運、資產或 operation, asset or operation, asset or
信譽等方面將產生非常信譽等方面將產生嚴重信譽等方面將產生有限 information, leading to reputation of the agency. reputation of the agency.
嚴重或災難性之影響。之影響。之影響。 very serious or
如未確實遵循資通系統如未確實遵循資通系統其他資通系統設置或運 disastrous impact on the
設置或運作涉及之資通設置或運作涉及之資通作於法令有相關規範之 operation, asset or
安全相關法令，可能使安全相關法令，可能使情形。 reputation of the
資通系統受影響而導致資通系統受影響而導致 agency.
資通安全事件，或影響資通安全事件，或影響 The occurrence of cyber The occurrence of cyber The occurrence of cyber
法律遵循性 security incident security incident resulting security incident resulting
他人合法權益或機關執他人合法權益或機關執
行業務之公正性及正當行業務之公正性及正當 resulting in impact on in impact on the in impact on the
the information and information and information and
性，並使機關所屬人員性，並使機關或其所屬
communication system communication system communication system
負刑事責任。人員受行政罰、懲戒或 might cause the might cause the might cause the
懲處。 Availability
interruption of access to interruption of access to interruption of access to
備註：資通系統之防護需求等級，以與該系統相關之機密性、完整性、可用性及法律遵循性構 or use of the information or use of the information or use of the information
and information and and information and and information and
面中，任一構面之防護需求等級之最高者定之。 communication system, communication system, communication system,
leading to very serious leading to serious impact leading to limit impact on
or disastrous impact on on the operation, asset or the operation, asset or
149
the operation, asset or reputation of the agency. reputation of the agency.
reputation of the agency.
The failure to strictly The failure to strictly Other status of
comply with regulatory comply with regulatory installation or operation
requirements relating to requirements relating to of information and
the installation or the installation or communication system
operation of information operation of information under relevant regulatory
and communication and communication requirements.
system involving cyber system involving cyber
security might cause security might cause
impact on the impact on the information
information and and communication
communication system, system, leading to cyber
Regulatory leading to cyber security security incidents, or
compliance incidents, or impact on impact on the legitimate
the legitimate rights and rights and interests of
interests of others or the others or the impartiality
impartiality and and justifiability of the
justifiability of the agencies in the
agencies in the performance of
performance of businesses, and cause the
businesses, and cause agencies or their
the personnel of the personnel to be subject to
agencies to be subject to administrative
criminal liabilities. punishments, disciplines
or penalties.
Note: The defense requirement levels of the information and communication system shall be the highest
ones as determined in any of the dimensions of confidentiality, integrity, availability and regulatory
compliance relating to such systems.
150
附表十
附表十資通系統防護基準 Schedule 10: Defense standards of information and communication system
系統防護需求 Defense requirements of systems

分級 Level
高中普 Control measure High Medium Common
控制措施
Contents of the
構面措施內容 Dimension
measures
一、逾越機關所定預期一、已逾期之臨時或緊建立帳號管理機 1. When the 1. The temporary Establish the account
閒置時間或可使用急帳號應刪除或禁制，包含帳號之申 management
expected idle or emergent
期限時，系統應自用。請、開通、停用及刪 mechanism,
time accounts which including the
除之程序。
動將使用者登出。二、資通系統閒置 prescribed by have expired procedure for
二、應依機關規定帳號應禁用。 the agency or should be application,
之情況及條件，使三、定期審核資通 usable time is deleted or activation,
帳號管
用資通系統。系統帳號之建立、 suspension and
理 exceeded, the prohibited. deletion.
三、監控資通系統修改、啟用、禁用及 system should 2. The idle
帳號，如發現帳號刪除。 automatically accounts of
違常使用時回報管四、等級「普」之所 logout the information and
理者。有控制措施。 users. communication
存取控四、等級「中」之所 2. Use the system should
制有控制措施。 information be prohibited.
採最小權限原則，僅允許使用者（或代表使用者行無要求。 and 3. Periodically
最小權
為之程序）依機關任務及業務功能，完成指派任務 communicatio review the
限
所需之授權存取。 Account n system establishment,
Access control
一、應監控資通系統遠端連線。對於每一種允許之 management according to revision,
二、資通系統應採用加密機制。遠端存取類型，均 the activation,
三、資通系統遠端存取之來源應為機關已預應先取得授權，建 circumstances prohibition and
遠端存先定義及管理之存取控制點。立使用限制、組態 and conditions deletion of
取四、等級「普」之所有控制措施。需求、連線需求及 prescribed by accounts of
文件化，使用者之 the agency. information and
權限檢查作業應於 3. Monitor the communication
伺服器端完成。 information systems.
一、應定期審查稽核事件。一、依規定時間週 and 4. All control
二、等級「普」之所有控制措施。期及紀錄留存 communicatio measures for the
政策，保留稽 n system level of
稽核與
稽核事核紀錄。 accounts; “common”.
可歸責
件二、確保資通系統 report to the
性
有稽核特定事 administrator
件之功能，並 if any
決定應稽核之 abnormal use
151
特定資通系統 by an account
事件。 is found
三、應稽核資通系 4. All control
統管理者帳號 measures for
所執行之各項 the level of
功能。 “medium”.
一、資通系統產生之稽核紀錄，應依需求納入其資通系統產生之稽 The principle of least privilege is adopted. No requirement
他相關資訊。核紀錄應包含事件 The users(or the procures for acts on behalf
二、等級「普」之所有控制措施。類型、發生時間、發 of users)are granted the authorized access
Least privilege
生位置及任何與事 required for the completion of duties only,
稽核紀
件相關之使用者身 depending on the duties and business
錄內容
分識別等資訊，並 functions of the agency .
採用單一日誌紀錄 For each kind of
1. The remote connection with the
機制，確保輸出格
information and communication permitted remote
式之一致性。 access, the
system should be monitored. authorization should
稽核儲依據稽核紀錄儲存需求，配置稽核紀錄所需之儲存容量。 2. The information and communication be obtained in
存容量 advance; the use
system should adopt encryption
一、機關規定需要即時資通系統於稽核處理失效時，應採取適當之 mechanism. restriction,
通報之稽核失效事行動。 configuration
3. The source of the remote access to the
requirement,
件發生時，資通系 Remote access information and communication
稽核處 connection
統應於機關規定之 system should be the access control requirement and
理失效
時效內，對特定人 point ad pre-defined and managed by documentation
之回應
員提出警告。 should be
the agency.
二、等級「中」及「普」 established; and the
4. All control measures for the level ofinspection operation
之所有控制措施。 “common”. of users’ privilege
一、系統內部時鐘應依機關規定之時間週期與基資通系統應使用系 should be completed
準時間源進行同步。統內部時鐘產生稽 at the server terminal.
二、等級「普」之所有控制措施。核紀錄所需時戳，並 1. Audit events should be reviewed 1. Retain the audit
時戳及
可以對應到世界協 periodically. records
校時
調時間 (UTC) 或格 2. All control measures for the level of according to the
林威治標準時間 “common”. prescribed time
(GMT)。 cycle and the
一、定期備份稽核紀錄一、應運用雜湊或其他對稽核紀錄之存取 policies of
Audit and
稽核資至與原稽核系統不適當方式之完整性管理，僅限於有權限 accountability
Audit event record retention.
訊之保同之實體系統。確保機制。之使用者。 2. Assure that the
護二、等級「中」之所二、等級「普」之所有 information and
有控制措施。控制措施。 communication
一、應將備份還原，作一、應定期測試備份資一、訂定系統可容 system has the
營運持系統備
為營運持續計畫測訊，以驗證備份媒忍資料損失之 function of audit
續計畫份
試之一部分。時間要求。 of specific
152
二、應在與運作系體之可靠性及資訊二、執行系統源碼 events, and
統不同處之獨立設之完整性。與資料備份。 determine the
施或防火櫃中，儲二、等級「普」之 specific
存重要資通系統軟所有控制措施。 information and
體與其他安全相關 communication
資訊之備份。 system incidents
三、等級「中」之所 to be audited.
有控制措施。 3. Should audit
一、訂定資通系統從中斷後至重新恢復服務之可無要求。 various
系統備容忍時間要求。 functions
援二、原服務中斷時，於可容忍時間內，由備援 executed by the
設備取代提供服務。 administrator
一、對帳號之網路或本機資通系統應具備唯一識別及鑑別機關使用者(或代表機 account of the
內部使用存取採取多重認證技關使用者行為之程序)之功能，禁止使用共用帳號。 information and
者之識別術。 communication
與鑑別二、等級「中」及「普」 system.
之所有控制措施。 1. Audit records generated by the Audit records
information and communication generated by the
一、身分驗證機制應防範自動化程式之登入或密碼更換嘗一、使用預設密碼登入
information and
試。系統時，應於登入 system shall include other relevant communication
二、密碼重設機制對使用者重新身分確認後，發送一次性及後要求立即變更。 information as required. system shall include
具有時效性符記。二、身分驗證相關資訊 2. All control measures for the level of the type of incidents,
“common”. dates of occurrence,
三、等級「普」之所有控制措施。不以明文傳輸。
places of occurrence,
三、具備帳戶鎖定機制， Content of and the information
帳號登入進行身分 audit record about the
驗證失敗達三次 identification of the
識別與 users relating to the
後，至少十五分鐘
鑑別 incidents; single
內不允許該帳號繼
journal recording
身分驗證續嘗試登入或使用 mechanism should be
管理機關自建之失敗驗 adopted to assure the
證機制。 consistency of the
formats of output.
四、基於密碼之鑑別資
Storage Storage capacity required for the audit records shall be equipped
通系統應強制最低 capacity for the depending on the requirement of the storage of audit records.
密碼複雜度；強制 audit
密碼最短及最長之 1. Upon occurrence of the audit In case of failure in
效期限制。 failure events which should be audit process, the
Response to information and
五、使用者更換密碼時， reported immediately as required by communication system
failure in audit
至少不可以與前三 process the agency, the information and should take
次使用過之密碼相 communication system should give appropriate actions.
同。 warnings to the specific personnel
153
六、第四點及第五點所 within the timeframes prescribed by
定措施，對非內部 the agency.
使用者，可依機關 2. All control measures for the
自行規範辦理。 levels of “medium” and “common”.
鑑別資訊資通系統應遮蔽鑑別過程中之資訊。 1. The internal clock of the system The information and
回饋 should synchronize with the time communication system
should use the internal
加密模組資通系統如以密碼進行鑑別時，該密碼應加密或經雜湊處理無要求。 cycle specified by the agency and theclock of the system to
鑑別後儲存。 source of standard times. generate time stamps
非內部使資通系統應識別及鑑別非機關使用者(或代表機關使用者行為之程序)。 Time stamp 2. All control measures for the level ofrequired for audit
用者之識
and time “common”. records, and such time
calibration stamps should be able
別與鑑別 to correspond to
系統發展針對系統安全需求（含機密性、可用性、完整性），以檢核表方式進行確認。 Universal Time
生命週期 Coordinated(UTC) or
需求階段
Greenwich Mean
Time(GMT).
一、根據系統功能與要求，識別可能影響系統之威脅，進行無要求。
系統發展 1. Periodically 1. Should use the The access
風險分析及評估。
back up the integrity of the management of audit
生命週期
二、將風險評估結果回饋需求階段之檢核項目，並提 records is limited to the
設計階段 audit records hashing or other users with privileges.
出安全需求修正。
to the proper methods
一、執行「源碼掃描」安全一、應針對安全需求實作必要控制措施。
physical to assure the
檢測。二、應注意避免軟體常見漏洞及實作必要控制
系統發展 system mechanism.
二、具備系統嚴重錯誤之措施。 Protection of
生命週期 different 2. All control
通知機制。三、發生錯誤時，使用者頁面僅顯示簡短錯誤訊 audit
開發階段 information from the measures for
三、等級「中」及「普」息及代碼，不包含詳細之錯誤訊息。
original audit the level of
之所有控制措施。
系統與 system. “common”.
一、執行「滲透測試」安全執行「弱點掃描」安全檢測。
服務獲系統發展 2. All control
檢測。
得生命週期 measures for
二、等級「中」及「普」
測試階段 the level of
之所有控制措施。
“medium”
一、於系統發展生命週期之維運階段，須注意版本控制與一、於部署環境中應針
1. Should take 1. Should 1. Set the
變更管理。對相關資通安全威
系統發展 the backup periodically test requirement for
二、等級「普」之所有控制措施。脅，進行更新與修
生命週期 and restore as the backup tolerable time of
補，並關閉不必要
部署與維 a part of the information to information loss
服務及埠口。
運階段 testing of the verify the of the system.
二、資通系統相關軟體， Business Backup of
continuity plan system business reliability of the 2. Execute the
不使用預設密碼。
continuity backup media system source
系統發展資通系統開發如委外辦理，應將系統發展生命週期各階段依等級將安全需求（含機密
plan. and the integrity codes and the data
生命週期性、可用性、完整性）納入委外契約。
2. Should store of the backup.
委外階段
the important information.
獲得程序開發、測試及正式作業環境應為區隔。無要求。
software of
154
系統文件應儲存與管理系統發展生命週期之相關文件。 the 2. All control
一、資通系統應採用加密無要求。無要求。 information measures for the
機制，以防止未授權之 and level of
資訊揭露或偵測資訊 communicati “common”.
之變更。但傳輸過程中 on system
有替代之實體保護措 and backup
施者，不在此限。 of other
二、使用公開、國際機構驗 security
傳輸之機證且未遭破解之演算 related
系統與密性與完法。 information
通訊保整性三、支援演算法最大長度 in the
護金鑰。 independent
四、加密金鑰或憑證週期 facilities or
性更換。 fire cabinets
五、伺服器端之金鑰 at the place
保管應訂定管理規範 different
及實施應有之安全防 from the
護措施。 operating
資料儲存靜置資訊及相關具保護需求無要求。無要求。 systems.
之安全之機密資訊應加密儲存。 3. All control
一、定期確認資通系統相關漏洞修復之狀態。系統之漏洞修復應測試 measures for
漏洞修復二、等級「普」之所有控制措施。有效性及潛在影響，並 the level of
定期更新。 “medium”.
一、資通系統應採用一、監控資通系統，以偵測發現資通系統有被入侵 1. Set the requirements for the tolerable No requirement
自動化工具監控進出之攻擊與未授權之連線，跡象時，應通報機關特 time from the interruption of
通信流量，並於發現不並識別資通系統之未定人員。 information and communication
資通系統尋常或未授權之活動授權使用。 system to the recovery of service.
System rescue
系統與監控時，針對該事件進行分二、等級「普」之所有 2. When the original service interrupts,
資訊完析。控制措施。 the service is provided by the rescue
整性二、等級「中」之所有 equipment in lieu thereof within the
控制措施。 tolerable time.
一、應定期執行軟體一、使用完整性驗證無要求。 1. Adopt multiple The information and communication system
與資訊完整性檢查。工具，以偵測未授權變 authentication should have the function of identification and
Identification authentication of sole agency users(or the
二、等級「中」之所有更特定軟體及資訊。 technologies program of act on behalf of agency users);
Identification and
軟體及資控制措施。二、使用者輸入資料 for the common accounts are prohibited.
and authentication
訊完整性合法性檢查應置放於應 authentication of internal network of
用系統伺服器端。 users accounts or the
三、發現違反完整性 access to the
時，資通系統應實施機 host.
155
關指定之安全保護措 2. All control
施。 measures for
備註： the level of
一、靜置資訊，指資訊位於資通系統特定元件，例如儲存設備上之狀態，或與系統相關需要保 “medium” and
護之資訊，例如設定防火牆、閘道器、入侵偵測、防禦系統、過濾式路由器及鑑別符內容 “common”.
等資訊。 4. Identity verification mechanism 7. When using the
二、特定非公務機關之中央目的事業主管機關得視實際需求，於符合本辦法規定之範圍內，另 should prevent from the logon by preset password
行訂定其所管特定非公務機關之系統防護基準。 automatic program or the trials of to login the
change of password. system, should
5. The password resetting mechanism immediately
have verified identities of users change the
again, and then send one-time and password after
time-based tokens. logon.
6. All control measures for the level of 8. Information
“common”. relating to identity
verification may
not be transmitted
by plain text.
9. Have the account
lockout
mechanism; if the
identity identity
verification verification for
management account logon
fails for three
times, disallow
such account to
continue the trial
of logon at least
within fifteen
minutes, or use
the failure
verification
mechanisms built
by the agencies
themselves.
10. The information
and
communication
system with
156
password-based
authentication
should impose the
least complexity
of password;
impose the
restriction on the
shortest and
longest validity of
passwords
11. When the users
change password,
at least the
password may not
be same as those
used for previous
three times.
12. The measures
specified in points
4 and 5 may be
conducted for
non-internal users
according to the
regulations
formulated by the
agencies
themselves.
Authentication The information and communication system should shield the
information information in the course of authentication.
feedback
When the information and communication No requirement
Encryption
systems use the passwords for
module
authentication, such passwords should be
authentication
encrypted, or stored after hashing process.
Identification The information and communication systems should identity and
or authenticate non-internal users(or the program of act on behalf of
authentication agency users).
of non-internal
users
Access to Requirement Use the method of checklist to confirm the system security
systems and phase of requirements(including confidentiality, availability and integrity).
services system
157
development
life circle
1. Depending on the system functions No requirement
and requirements, identify the threats
Design phase that might impact on the system, to
of system conduct risk analysis and assessment.
development 2. Feedback the risk assessment results
life circle to the screening items of the
requirement phase, and submit the
revision of security requirements.
1. Execute 1. Should practice necessary control
“source code measures for the security requirements.
scanning” 2. Should pay attention to the avoidance of
security common software vulnerabilities, and
testing. practice necessary measures.
Development 2. Have the 3. When errors occur, the user’s pages
phase of notification display short error message and code only,
system mechanisms of without detailed error message.
development serious error of
life circle
the system.
3. All control
measures for
the level of
“medium” and
“common”.
1. Execute Execute “vulnerability scanning” security
“penetration testing.
testing”
Testing phase security
of system testing.
development 2. All control
life circle measures for
the level of
“medium” and
“common”.
Deployment 1. In the maintenance operation phase 3. Under the
and of system development life circle, deployment
maintenance
operation attention should be paid to the environment,
phase of version control and change should conduct
system management. update and fixing
158
development 2. All control measures for the level of of relevant cyber
life circle “common”. security threats,
and close
unnecessary
services and ports.
4. Not to use preset
passwords for
relevant software
of information
and
communication
system.
Outsourcing If the development of the information and communication system is
phase of outsourced, the security requirements by level(including
system confidentiality, availability, integrity) for each phase of system
development development life circle shall be included in the outsourcing contract.
life circle
Obtaining Development, testing, and formal operation No requirement
programs environments should be separated.
System Should store the documents relating to the management system
documents development life circle.
1. The information No requirement No requirement
and
communication
system should
adopt encryption
mechanism, to
prevent from
unauthorized
disclosure of
Protection of confidentiality
information or to
systems and and integrity of
communications transmission detect the change
of information;
unless there are
substitutive
physical protection
measures in the
course of
transmission.
2. Use public,
international
159
institution verified
and not cracked
algorithms.
3. Support the
maximum length
key of algorithms.
4. Periodically
change the
encryption key or
certification.
5. Should
formulate the
management
regulations on the
custody of key at
server terminal,
and implement
security protection
measures that
should exist.
The static information No requirement. No requirement.
and the relevant
Securities of confidential information
data storage required for protection
should be encrypted for
the storage.
1. Periodically confirm the status of The vulnerability
fixing of relevant vulnerabilities of the fixing of the system
should be tested for
Vulnerability information and communication the effectiveness and
fixing system. potential impact, and
2. All control measures for the level of should be updated
“common”. periodically.
Integrity of 1. The 1. Monitor the If a sign of hacking to

systems and information information and the information and
information communication
Monitoring of and communication system is found,
information communicati system to detect should notify the
and on system the attack and specific personnel of
communicatio should adopt unauthorized the agencies thereof.
n system
automatic connection and to
tools to identify the
monitor the unauthorized
160
access users of the
communicati information and
on flows; if communication
unusual or system.
unauthorized 2. All control
activities are measures for the
found, level of
conduct the “common”.
analysis of
such activity.
2. All control
measures for
the level of
“medium”.
1. Should 4. Use the integrity No requirement
conduct the verification tools
inspection of to detect the
the integrity unauthorized
of software change of
and specific software
information. and information.
2. All control 5. The examination
measures for of the legitimacy
the level of of input data of
“medium”. users should be
The integrity of placed on the
software and server terminal of
information the application
system.
6. If any violation to
the integrity is
found, the
information and
communication
system should
implement the
security
protection
measures
161
designated by the
agency.
Notes:
3. Static information refers to the information located at the specific elements in information and
communication systems, such as the status of being stored in the equipment, or the information relating
to the system that is required for protection, such as the information of contents of setting firewalls,
gateways, hacking detection, defense system, filtering routers, and authentication token etc.
4. The government authority in charge of subject industry at the central government level of the
specific non-government agency may, depending on the actual requirements and to the extent of
compliance with these Regulations, otherwise provide for the information and communication system
defense standards of its regulated specific non-government agency.
162
資通安全事件通報及應變辦法_英譯對照
資通安全事件通報及應變辦法 Regulations on the Notification and Response of
Cyber Security Incident
第一章總則 Chapter 1 General Provisions
第一條本辦法依資通安全管 Article 1 These Regulations are stipulated in
理法（以下簡稱本法）第十 accordance with Paragraph 4 of Article 14 and
四條第四項及第十八條第 Paragraph 4 of Article 18 of the Cyber Security
四項規定訂定之。 Management Act(hereinafter referred to as the
“Act”).
第二條資通安全事件分為四 Article 2 Cyber security incident is classified into
級。 four levels.
公務機關或特定非公務機 The cyber security incident occurred to the
關（以下簡稱各機關）發生資通 government agency or the specific non-government
agency (hereinafter referred to as “each agency”)
安全事件，有下列情形之一者，
under any of the following circumstances is the
為第一級資通安全事件： level-1 cyber security incident:
一、非核心業務資訊遭輕微洩 1. Minor breach of non-core business
漏。 information.
二、非核心業務資訊或非核心 2. Minor alteration of non-core business
資通系統遭輕微竄改。 information or non-core information and
三、非核心業務之運作受影響 communication system.
或停頓，於可容忍中斷時間
operation which may be recovered within
內回復正常運作，造成機關 tolerable interruption time, resulting in impact
日常作業影響。 on daily operation of each agency.
各機關發生資通安全事
件，有下列情形之一者，為第二 The cyber security incident occurred to each
級資通安全事件： agency under any of the following circumstances is
一、非核心業務資訊遭嚴重洩 the level-2 cyber security incident:
漏，或未涉及關鍵基礎設施 3. Serious breach of non-core business
information or minor breach of core business
維運之核心業務資訊遭輕
information not involving the maintenance
微洩漏。 and operation of critical infrastructures.
二、非核心業務資訊或非核心 4. Serious alteration of non-core business
資通系統遭嚴重竄改，或未 information or non-core information and
涉及關鍵基礎設施維運之 communication system, or minor alteration of
核心業務資訊或核心資通 core business information or core information
系統遭輕微竄改。 and communication system not involving the
maintenance and operation of critical
三、非核心業務之運作受影響
infrastructures.
或停頓，無法於可容忍中斷 5. Impact on or interruption of non-core business
時間內回復正常運作，或未 operation, which cannot be recovered within
涉及關鍵基礎設施維運之 tolerable interruption time, or impact on or
核心業務或核心資通系統 interruption of core business or core
之運作受影響或停頓，於可 information and communication system
容忍中斷時間內回復正常 operation not involving the maintenance and
運作。 operation of critical infrastructures, which
may be recovered within tolerable interruption
各機關發生資通安全事件，有
163
下列情形之一者，為第三級資 time.
通安全事件：
一、未涉及關鍵基礎設施維運 The cyber security incident occurred to each
之核心業務資訊遭嚴重洩 agency under any of the following circumstances is
the level-3 cyber security incident:
漏，或一般公務機密、敏感
1. Serious breach of core business information
資訊或涉及關鍵基礎設施 not involving the maintenance and operation
維運之核心業務資訊遭輕 of critical infrastructures, or minor breach of
微洩漏。 confidential, sensitive information of general
二、未涉及關鍵基礎設施維運 official affairs, or minor breach of core
之核心業務資訊或核心資 business information involving the
通系統遭嚴重竄改，或一般 maintenance and operation of critical
infrastructures.
公務機密、敏感資訊、涉及
2. Serious alteration of core business
關鍵基礎設施維運之核心 information or core information and
業務資訊或核心資通系統 communication system not involving the
遭輕微竄改。 maintenance and operation of critical
三、未涉及關鍵基礎設施維運 infrastructures, or minor alteration of
之核心業務或核心資通系 confidential, sensitive information of general
統之運作受影響或停頓，無 official affairs or core business information or
法於可容忍中斷時間內回 core information and communication system
involving the maintenance and operation of
復正常運作，或涉及關鍵基
critical infrastructures.
礎設施維運之核心業務或 3. Impact on or interruption of the operation of
核心資通系統之運作受影 core business or core information and
響或停頓，於可容忍中斷時 communication system not involving the
間內回復正常運作。 maintenance and operation of critical
infrastructures, which cannot be recovered
各機關發生資通安全事 within the tolerable interruption time, or
件，有下列情形之一者，為第 impact on or interruption of the operation of
core business or core information and
四級資通安全事件：
communication system involving the
一、一般公務機密、敏感資訊或 maintenance and operation of critical
涉及關鍵基礎設施維運之 infrastructures, which may be recovered
核心業務資訊遭嚴重洩漏， within tolerable interruption time.
或國家機密遭洩漏。
二、一般公務機密、敏感資訊、 The cyber security incident occurred to
涉及關鍵基礎設施維運之 each agency under any of the following
核心業務資訊或核心資通 circumstances is the level-4 cyber security incident:
1. Serious breach of confidential, sensitive
系統遭嚴重竄改，或國家機
information of general official affairs or core
密遭竄改。 business information involving the
三、涉及關鍵基礎設施維運之 maintenance and operation of critical
核心業務或核心資通系統 infrastructures, or the breach of classified
之運作受影響或停頓，無法 national security information.
於可容忍中斷時間內回復 2. Serious alteration of confidential, sensitive
正常運作。 information of general official affairs or core
business information or core information and
communication system involving the
maintenance and operation of critical
164
infrastructures, or the alteration of classified
national security information.
3. Impact on or interruption of core business or
core information and communication system
involving the maintenance and operation of
critical infrastructures, which cannot be
recovered within tolerable interruption time.
第三條資通安全事件之通報 Article 3 Content of the notification of cyber
內容，應包括下列項目： security incident shall include the following items:
一、發生機關。 1. The agency occurred.
二、發生或知悉時間。 2. The time of occurrence or awareness.
三、狀況之描述。
3. The description of the situation.
四、等級之評估。 4. Level assessment.
五、因應事件所採取之措施。 5. Coping measure in response to the incident.
六、外部支援需求評估。 6. Assessment of requirement for external
七、其他相關事項。 support.
7. Other relevant items.
第二章公務機關資通安全 Chapter 2 The notification and response of cyber
事件之通報及應變 security incident of government agency
第四條公務機關知悉資通安 Article 4 Upon awareness of the cyber security
全事件後，應於一小時內依主 incident, the government agency shall conduct the
管機關指定之方式及對象，進 notification of the cyber security incident within
one hour in the manner and to the objects as
行資通安全事件之通報。
designated by the competent authority.
前項資通安全事件等級
變更時，公務機關應依前項 In case of the change to the level of the cyber
規定，續行通報。 security incident under the preceding paragraph,
公務機關因故無法依第 the government agency shall continue the
一項規定方式通報者，應於 notification as provided for in the preceding
同項規定之時間內依其他適 paragraph.
當方式通報，並註記無法依
When the notification conducted in the
規定方式通報之事由。
manner as specified in Paragraph 1 is unavailable
公務機關於無法依第一 for some reason, the government agency shall
項規定方式通報之事由解除 conduct the notification in another appropriate
後，應依該方式補行通報。 manner within the timeframes prescribed under the
same paragraph, and note the cause of unable
notification from being conducted in the required
manner.
After eliminating of the cause of unable

notification from being conducted in the manner as
required under Paragraph 1, the government
agency shall supplement the notification in the
same manner.
第五條主管機關應於其自身 Article 5 After the completion of the notification
完成資通安全事件之通報後， of the cyber security incident, the competent
依下列規定時間完成該資通 authority shall complete the review of the level of
such cyber security incident within the following
165
安全事件等級之審核，並得依 timeframes, and may change its level according to
審核結果變更其等級： the review results:
一、通報為第一級或第二 1. Within eight hours after receipt of the
級資通安全事件者， notification of a level-1 or level-2 cyber
security incident.
於接獲後八小時內。
2. Within two hours after receipt of the
二、通報為第三級或第四 notification of a level-3 or level-4 cyber
級資通安全事件者， security incident.
於接獲後二小時內。
總統府與中央一級機關 The Presidential Office, the agencies directly
之直屬機關及直轄市、縣 subordinate to the central first-level agencies, and
（市）政府，應於其自身、所 special municipalities and county (city)
governments shall, after the notification of the
屬、監督之公務機關、所轄鄉
cyber security incident, conducted by themselves,
（鎮、市）、直轄市山地原住 their subordinate or supervisory government
民區公所與其所屬或監督之 agencies, their governed villages
公務機關，及前開鄉（鎮、 (townships/cities), mountain indigenous district
市）、直轄市山地原住民區民 offices of special municipalities, and the
代表會，完成資通安全事件 subordinate or supervisory government agencies of
之通報後，依前項規定時間 such governed villages (townships/cities) and
完成該資通安全事件等級之 mountain indigenous district offices of special
municipalities, and the representative councils of
審核，並得依審核結果變更
the above said villages (townships/cities) and
其等級。 Mountain Indigenous Districts of Special
前項機關依規定完成資 Municipalities councils, complete the review of
通安全事件等級之審核後， level of such cyber security incident within the
應於一小時內將審核結果通 timeframes as required under the preceding
知主管機關，並提供審核依 paragraph, and may change its level according to
據之相關資訊。 the review results.
總統府、國家安全會議、
After completion of the required review
立法院、司法院、考試院、監 of the level of the cyber security incident, the
察院及直轄市、縣（市）議會， agencies under the preceding paragraph shall notify
應於其自身完成資通安全事 the competent authority of the review results within
件之通報後，依第一項規定 one hour, and shall provide information relating to
時間完成該資通安全事件等 the basis of the reviews.
級之審核，並依前項規定通
知主管機關及提供相關資 The Presidential Office, the National Security
Council, the Legislative Yuan, the Judicial Yuan,
訊。
the Examination Yuan, the Control Yuan, and
主管機關接獲前二項之 special municipalities and county (city) councils
通知後，應依相關資訊，就資 shall, after completion of their own notification of
通安全事件之等級進行覆 cyber security incident, conduct the review of the
核，並得依覆核結果變更其 level of such cyber security incident within the
等級。但主管機關認有必要， timeframes as specified under Paragraph 1, and
或第二項及前項之機關未依 shall notify and provide the competent authority
規定通知審核結果時，得就 with relevant information as required under the
該資通安全事件逕為審核，
並得為等級之變更。 Upon receipt of the notifications under the
166
preceding two paragraphs, the competent authority
shall further review the level of the cyber security
incident according to the relevant information, and
may change its level according to the review result.
However, if it is deemed necessary, or if the
agencies under Paragraph 2 and the preceding
paragraph fail to notify of the required review
results, the competent authority may directly
review such cyber security incident and may
change its level.
第六條公務機關知悉資通安 Article 6 Upon awareness of the cyber security
全事件後，應依下列規定時 incident, the government agency shall complete the
間完成損害控制或復原作 damage control or recovery operation within the
業，並依主管機關指定之方 following timeframes, and shall conduct the
notification in the manner and to the objects as
式及對象辦理通知事宜：
designated by the competent authority:
一、第一級或第二級資通安全 1. Within seventy-two hours of the awareness of
事件，於知悉該事件後七十 a level-1 or level-2 cyber security incident;
二小時內。 2. Within thirty-six hours of the awareness of a
二、第三級或第四級資通安全 level-3 or level-4 cyber security incident.
事件，於知悉該事件後三十
六小時內。 After completion of the damage control or
recovery operation under the preceding paragraph,
公務機關依前項規定完
the government agency shall continue the
成損害控制或復原作業後， investigation and management of the cyber security
應持續進行資通安全事件之 incident, and shall submit the investigation,
調查及處理，並於一個月內 management and improvement report within one
依主管機關指定之方式，送 month in the manner designated by the competent
交調查、處理及改善報告。 authority.
前項調查、處理及改善
報告送交之時限，得經上級 The timeframe of submission of the
investigation, management, and improvement
或監督機關及主管機關同意
reports under the preceding paragraph may be
後延長之。 extended with the consent of the superior or
上級、監督機關或主管 supervising agencies and the competent authority.
機關就第二項之調查、處理
及改善報告認有必要，或認 If the superior or supervising agencies or the
有違反法令、不適當或其他 competent authority deem necessary or deem there
須改善之情事者，得要求公 is any non-compliance with the regulatory
requirement, improper matters or other matters to
務機關提出說明及調整。
be improved in the investigation, management, and
improvement reports under Paragraph 2, they may
require the government agency to give explanations
and make adjustments.
第七條總統府與中央一級機 Article 7 The Presidential Office, the agencies
關之直屬機關及直轄市、縣 directly subordinate to central first-level agencies,
（市）政府，就所屬、監督、 and the special municipalities and county (city)
所轄或業務相關之公務機 governments shall provide necessary assistance or
support in respect of the notification and response
關執行資通安全事件之通
operation of the cyber security incident
167
報及應變作業，應視情形提 implemented by the government agency which is
供必要支援或協助。 subordinate to, or supervised or regulated by, or
主管機關就公務機關執 whose businesses are related to them, if
行資通安全事件之應變作 circumstances so require.
業，得視情形提供必要支援
The competent authority may provide
或協助。 necessary support and assistance in respect of the
公務機關知悉第三級或 response operation of the cyber security incident
第四級資通安全事件後，其 implemented by the government agency, if
資通安全長應召開會議研商 circumstances so require.
相關事宜，並得請相關機關
提供協助。 After the government agency becomes aware of a
level-3 or level-4 cyber security incident, its Cyber
Security Officer shall convene the meetings to
discuss relevant matters, and may request relevant
agencies to provide assistances.
第八條總統府與中央一級 Article 8 The Presidential Office, the agencies
機關之直屬機關及直轄市、 directly subordinate to central first-level agencies,
縣（市）政府，對於其自身、 and the special municipalities and county (city)
所屬或監督之公務機關、所 governments shall plan and conduct cyber security
exercise for themselves, their subordinate or
轄鄉（鎮、市）、直轄市山
supervisory government agencies, their governed
地原住民區公所與其所屬 villages (townships/cities), mountain indigenous
或監督之公務機關及前開 district offices of special municipalities, and the
鄉（鎮、市）、直轄市山地 subordinate or supervisory government agencies of
原住民區民代表會，應規劃 such governed villages (townships/cities) and
及辦理資通安全演練作業， mountain indigenous district offices of special
並於完成後一個月內，將執 municipalities, and the representative councils of
the above said villages (townships/cities) and
行情形及成果報告送交主
Mountain Indigenous Districts of Special
管機關。 Municipalities councils, and shall submit the
前項演練作業之內容， implementation status thereof and the result reports
應至少包括下列項目： thereon to the competent authority within one
一、每半年辦理一次社交工程 month after the completion thereof.
演練。
二、每年辦理一次資通安全事 Content of the exercise operation under the
件通報及應變演練。 preceding paragraph shall include the following
items at least:
總統府與中央一級機關
1. Social engineering exercise shall be
及直轄市、縣（市）議會，應 conducted once every six months.
依前項規定規劃及辦理資通 2. The notification and response exercise of the
安全演練作業。 cyber security incident shall be conducted
once a year.
The Presidential Office and the central first-

level agencies and special municipalities and
county/city councils shall plan and conduct the
cyber security exercise operation required under
the preceding paragraph.
第九條公務機關應就資通安 Article 9 The government agency shall stipulate
168
全事件之通報訂定作業規 the operational regulations on the notification of
範，其內容應包括下列事 the cyber security incident, the content of which
項： shall include the following matters:
一、判定事件等級之流程及權 1. The process and the accountabilities of
judgment and determination of levels of the
責。
incident.
二、事件之影響範圍、損害程度 2. Assessment of the impact scope and damage
及機關因應能力之評估。 degrees of the incident and the response
三、資通安全事件之內部通報 abilities of the agencies.
流程。 3. The process of internal notification on the
四、通知受資通安全事件影響 cyber security incident.
之其他機關之方式。 4. The method and time of notification to other
agencies impacted by the cyber security
五、前四款事項之演練。
incident.
六、資通安全事件通報窗口及 5. The exercises under the preceding four
聯繫方式。 paragraphs.
七、其他資通安全事件通報相 6. The contact window and methods of
關事項。 notification of the cyber security incident.
7. Other matters relating to the cyber security
incident.
第十條公務機關應就資通安 Article 10 The government agency shall
全事件之應變訂定作業規 stipulate the operational regulations on the
範，其內容應包括下列事 response of the cyber security incident, the content
項： of which shall include the following matters:
一、應變小組之組織。
2. The exercise prior to the occurrence of the
二、事件發生前之演練作業。 incident.
三、事件發生時之損害控制機 3. The mechanism of damage control on the
制。 occurrence of the incident and request for
四、事件發生後之復原、鑑識、 technical support or other necessary assistance
調查及改善機制。 from the central authority in charge of
五、事件相關紀錄之保全。 relevant industry concerned.
六、其他資通安全事件應變相 4. Recovery, identification, investigation, and
improvement mechanisms after the
關事項。
occurrence of the incident.
5. The preservations of records relating to the
incident.
6. Other matters relating to the response of the
第三章特定非公務機關資 Chapter 3 The notification and response of
通安全事件之通報及應變 cyber security incident of the specific non-
government agency
第十一條特定非公務機關知 Article 11 Upon awareness of the cyber
悉資通安全事件後，應於一 security incident, the specific non-government
小時內依中央目的事業主 agency shall conduct the notification of the cyber
管機關指定之方式，進行資 security incident within one hour in the manner as
designated by the central authority in charge of
通安全事件之通報。 relevant industry.
前項資通安全
事件等級變更時，特定非公 In case of change to the level of the cyber
169
務機關應依前項規定，續行 security incident under the preceding paragraph,
通報。 the specific non-government agency shall continue
特定非公務機 the notification as provided for in the preceding
關因故無法依第一項規定 paragraph.
方式通報者，應於同項規定
If the notification conducted in the manner as
之時間內依其他適當方式 specified in Paragraph 1 is prevented for any cause,
通報，並註記無法依規定方 the specific non-government agency shall conduct
式通報之事由。 the notification in another appropriate manner
特定非公務機關 within the timeframes prescribed under the same
於無法依第一項規定方式 paragraph, and note the cause for not being able to
通報之事由解除後，應依該 report by the prescribed manner.
方式補行通報。
After the elimination of the cause for
preventing the notification from being conducted in
the manner as required under Paragraph 1, the
specific non-government agency shall supplement
the notification in the original manner.
第十二條中央目的事業主管 Article 12 After the specific non-government
機關應於特定非公務機關 agency has completed the notifications of cyber
完成資通安全事件之通報 security incident, the central authority in charge of
後，依下列規定時間完成該 relevant industry shall complete verification of the
level of such cyber security incident within the
資通安全事件等級之審核，
following timeframes, and may change its level
並得依審核結果變更其等 according to the verify results:
級： 6. Within eight hours after receipt of the
一、通報為第一級或第二級資 notification of a level-1 or level-2 cyber
通安全事件者，於接獲後八 security incident.
小時內。 7. Within two hours after receipt of notification
二、通報為第三級或第四級資 of a level-3 or level-4 cyber security incident.
通安全事件者，於接獲後二
After completion of the verification of the
小時內。 cyber security incident as required under the
中央目的事業主管機關 preceding paragraph, the central authority in charge
依前項規定完成資通安全事 of relevant industry shall proceed with the
件之審核後，應依下列規定 following requirement:
辦理： 1. If the verification result indicates a level-1 or
一、審核結果為第一級或第二 level-2 cyber security incident, they shall
級資通安全事件者，應定期 periodically summarize the verification result,
basis, and other necessary information, and
彙整審核結果、依據及其
then submit them to the competent authority
他必要資訊，依主管機關指 in the manner as specified by the competent
定之方式送交主管機關。 authority.
二、審核結果為第三級或第四 2. If the verification result indicates a level-3 or
級資通安全事件者，應於審 level-4 cyber security incident, they shall,
核完成後一小時內，將審核 within one hour of the completion of the
結果、依據及其他必要資 verification, submit the verification result,
basis, and other necessary information to the
訊，依主管機關指定之方式
competent authority in the manner as specified
送交主管機關。 by the competent authority.
170
主管機關接獲前項資料
後，得就資通安全事件之等 Upon receipt of the documentation under the
級進行覆核，並得為等級之 preceding paragraph, the competent authority may
變更。 review the level of the cyber security incident, and
may change its level.
第十三條特定非公務機關知 Article 13 Upon awareness of the cyber security
悉資通安全事件後，應依下 incident, the specific non-government agency shall
列規定時間完成損害控制 complete damage control or recovery operation
或復原作業，並依中央目的 within the following timeframes, and shall conduct
the notification in the manner as designated by the
事業主管機關指定之方式
central authority in charge of relevant industry:
辦理通知事宜： 1. Within seventy-two hours of the awareness of
一、第一級或第二級資通安全 a level-1 or level-2 cyber security incident.
事件，於知悉該事件後七十 2. Within thirty-six hours of the awareness of a
二小時內。 level-3 or level-4 cyber security incident.
二、第三級或第四級資通安全
事件，於知悉該事件後三十 After completion of damage control or
recovery operation under the preceding paragraph,
六小時內。
the specific non-government agency shall continue
特定非公務機關依前項 the investigation and management of the cyber
規定完成損害控制或復原作 security incident, and shall submit the
業後，應持續進行事件之調 investigation, management, and improvement
查及處理，並於一個月內依 report within one month in the manner as
中央目的事業主管機關指定 designated by the central authority in charge of
之方式，送交調查、處理及改 relevant industry.
善報告。
The timeframe of submission of the
前項調查、處理及改善
investigation, management, and improvement
報告送交之時限，得經中央 report under the preceding paragraph may be
目的事業主管機關同意後延 extended with the consent of the central authority
長之。 in charge of relevant industry.
中央目的事業主管機關 If the central authority in charge of relevant
就第二項之調查、處理及改 industry deems necessary or deems there is any
善報告認有必要，或認有違 non-compliance with regulatory requirement,
improper matter or other matter to be improved in
反法令、不適當或其他須改
the investigation, management, and improvement
善之情事者，得要求特定非 reports under Paragraph 2, they may require the
公務機關提出說明及調整。 specific non-government agency to give the
特定非公務機關就第三 explanation and make adjustment.
級或第四級資通安全事件送
交之調查、處理及改善報告， Upon review of the investigation,
中央目的事業主管機關應於 management, and improvement report on a level-3
審查後送交主管機關；主管 or level-4 cyber security incident submitted by the
specific non-government agency, the central
機關就該報告認有必要，或
authority in charge of relevant industry shall submit
認有違反法令、不適當或其 such report to the competent authority; if the
他須改善之情事者，得要求 competent authority deems necessary, or deems
特定非公務機關提出說明及 there is any non-compliance with regulatory
調整。 requirement, improper matter, or other matter to be
improved, it may require the specific non-
171
government agency to give explanation and make
adjustment.
第十四條中央目的事業主管 Article 14 The central authority in charge of
機關就所管特定非公務機 relevant industry shall provide necessary support or
關執行資通安全事件之通 assistance in respect to the notification and
報及應變作業，應視情形提 response of cyber security incident implemented by
the specific non-government agency under its
供必要支援或協助。
authority, if circumstances so require.
主管機關就特定非公務
機關執行資通安全事件應變 The competent authority may provide
作業，得視情形提供必要支 necessary support and assistance in respect to the
援或協助。 notification and response operation of the cyber
特定非公務機關知悉第 security incident implemented by the specific non-
三級或第四級資通安全事件 government agency, if circumstances so require.
後，應召開會議研商相關事
After the specific non-government agency
宜。 becomes aware of a level-3 or level-4 cyber
security incident, it shall convene meetings to
discuss relevant matters.
第十五條特定非公務機關應 Article 15 The specific non-government agency
就資通安全事件之通報訂 shall stipulate the operational regulations on the
定作業規範，其內容應包括 notification of the cyber security incident, the
下列事項： content of which shall include the following
matters:
一、判定事件等級之流程及權
責。 1. The process and the accountabilities of
二、事件之影響範圍、損害程度 judgment and determination of levels of the
及機關因應能力之評估。 incident.
三、資通安全事件之內部通報 2. Assessment of the impact scope and damage
流程。 degrees of the incident and the response
四、通知受資通安全事件影響 abilities of the agencies.
3. The process of internal notification on the
之其他機關之時機及方式。
五、前四款事項之演練。 4. The method and time of notification to other
六、資通安全事件通報窗口及 agencies impacted by the cyber security
聯繫方式。 incident.
七、其他資通安全事件通報相 5. The exercises under the preceding four
關事項。 paragraphs.
6. The contact window and methods of
notification of the cyber security incident.
7. Other matters relating to the cyber security
incident.
第十六條特定非公務機關應 Article 16 The specific non-government
就資通安全事件之應變訂 agency shall stipulate the operational regulations
定作業規範，其內容應包括 on the response of the cyber security incident, the
下列事項： content of which shall include the following
matters:
一、應變小組之組織。
二、事件發生前之演練作業。 2. The exercise prior to the occurrence of the
三、事件發生時之損害控制，及 incident.
172
向中央目的事業主管機關 3. The mechanism of damage control on the
請求技術支援或其他必要 occurrence of the incident and request for
協助之機制。 technical support or other necessary assistance
四、事件發生後之復原、鑑識、 from the central authority in charge of
relevant industry concerned.
調查及改善機制。
五、事件相關紀錄之保全。 improvement mechanisms after the
六、其他資通安全事件應變相 occurrence of the incident.
關事項。 5. The preservations of records relating to the
incident.
6. Other matters relating to the response of the
第四章附則 Chapter 4 Supplementary Provisions
第十七條主管機關就各機關 Article 17 For level-3 or level-4 cyber security
之第三級或第四級資通安 incident of each agency, the competent authority
全事件，得召開會議，邀請 may convene meetings and invite relevant agencies
to discuss the damage control, recovery, and other
相關機關研商該事件之損
relevant matters of such incident.
害控制、復原及其他相關事
宜。
第十八條公務機關應配合主 Article 18 The government agency shall
管機關規劃、辦理之資通安 cooperate with the competent authority which shall
全演練作業，其內容得包括 plan and conduct the cyber security exercise. The
下列項目： content of exercise may include the following
matters:
一、社交工程演練。
1. Social engineering exercise.
二、資通安全事件通報及應變 2. The notification and response exercise of the
演練。 cyber security incident.
三、網路攻防演練。 3. Cyber offense and defense exercise.
四、情境演練。 4. Scenario exercise.
五、其他必要之演練。 5. Other necessary exercise.
第十九條特定非公務機關應 Article 19 The specific non-government
配合主管機關規劃、辦理之 agency shall, in coordination with the competent
資通安全演練作業，其內容 authority, plan and conduct the cyber security
得包括下列項目： exercise, the content of which may include the
following matters:
一、網路攻防演練。
二、情境演練。 2. Scenario exercise.
三、其他必要之演練。 3. Other necessary exercise.
主管機關規劃、辦理之 If the cyber security exercise planned and
資通安全演練作業，有侵害 conducted by the competent authority has
特定非公務機關之權利或正 imminent threats of infringement to the rights or
當利益之虞者，應先經其書 legitimate interests of the specific non-government
agency, such exercise may be conducted only with
面同意，始得為之。
written consent of such agency.
前項書面同意之方式， The written consent under the preceding paragraph
依電子簽章法之規定，得以 may be made by electronic documents in
電子文件為之。 accordance with the Electronic Signatures Act.
第二十條公務機關於本辦法 Article 20 If, before the enforcement of these
173
施行前，已針對其自身、所 Regulations, the government agency has,
屬或監督之公務機關或所 independently or jointly with other agencies,
管之特定非公務機關，自行 formulated the notification and response
或與其他機關共同訂定資 mechanism for itself or for its subordinate or
supervisory government agencies or for its
通安全事件通報及應變機
regulated specific non-government agencies, and
制，並實施一年以上者，得 have enforced such mechanism for more than one
經主管機關核定後，與其所 year, and maybe approved by the competent
屬或監督之公務機關或所 authority, they and their subordinate or supervisory
管之特定非公務機關繼續 government agencies or their regulated specific
依該機制辦理資通安全事 non-government agencies may continue to conduct
件之通報及應變。 the notification and response of cyber security
前項通報及應變機制如 incident according to such mechanism.
有變更，應送主管機關重為
In case of change to the notification and response
核定。 mechanism under the preceding paragraph, such
change shall be submitted to the competent
authority for approval again.
第二十一條 Article 21 The implementation date of the
本辦法之施行日期，由主 Regulations shall be stipulated by the competent
管機關定之。 authority.
174
特定非公務機關資通安全維護計畫實施情形稽核
辦法-英譯對照
特定非公務機關資通安全維護 Regulations on Audit of Implementation of Cyber
計畫實施情形稽核辦法 Security Maintenance Plan of Specific Non-
Government Agency
理法第七條第二項規定訂 accordance with Paragraph 2 of Article 7 of the
定之。
Cyber Security Management Act.
第二條本辦法所定書面，依 Article 2 These Regulations stipulate “in writing”
電子簽章法之規定，得以電 document may be an electronic document in
子文件為之。
accordance with the provisions of the Electronic
Signatures Act.
第三條主管機關應每年擇定 Article 3 The competent authority shall select and
當年度各季受稽核之特定 determine the specific non-government agencies
非公務機關(以下簡稱受稽
(hereinafter referred to as the “audited agency”)
核機關)，並以現場實地稽核
for each quarter of the year, and may audit the
之方式，稽核其資通安全維
護計畫實施情形。 implementation of their cyber security
主管機關擇定前項受 maintenance plans through onsite audit every year.
稽核機關時，應綜合考量其 In selecting and determining the audited
業務之重要性與機敏性、資 agencies under the preceding paragraph, the
通系統之規模與性質、資通 competent authority shall give comprehensive
安全事件發生之頻率與程
consideration to the significance and confidential
度、資通安全演練之成果、
歷年受主管機關或中央目 sensitivities of its businesses, the size and nature
的事業主管機關稽核之頻 of their cyber systems, the frequencies and degrees
率與結果或其他與資通安 of occurrence of cyber security incidents, the
全相關之因素。 results of cyber offense and defense exercise, the
主管機關為辦理第一 frequencies and results of audits conducted by the
項稽核，應訂定稽核計畫，
competent authority or the central authority in
其內容包括稽核之依據與
charge of the relevant industry over past years,
目的、期間、重點領域、稽
核小組組成方式、保密義 or other factors relating to cyber security.
務、稽核方式、基準與項目 In conducting the audit under Paragraph 1, the
及中央目的事業主管機關 competent authority shall establish the audit
協助事項。 program, the content of which shall include the
主管機關決定前項稽 basis and purposes, time period, essential fields of
核之重點領域與基準及項
the audit, the manner of formation of the audit
目時，應綜合考量我國資通
安全政策、國內外資通安全 team, confidentiality obligation, the method,
趨勢、過往稽核計畫之內容 standards and items of the audit, and assistance
175
與稽核結果，及其他與稽核 issues from the central authority in charge of
資源之適當分配或稽核成 relevant industry.
效相關之因素。
In determining the essential fields, standards
and items of the audit under the preceding
paragraph, the competent authority shall take into
comprehensive consideration the cyber security
policy of our country, domestic and foreign cyber
security trends, the contents and results of past
audit programs, and any other factors relating to
the proper allocation of audit resources or audit
effectiveness.
第四條主管機關辦理前條第 Article 4 In conducting the audit under
一項之稽核，應將稽核計畫 Paragraph 1of the preceding article, the competent
於一個月前以書面通知受稽
authority shall deliver the audit program notice in
核機關。
writing to the audited agency one month before the
受稽核機關如因業務因
素或有其他正當理由，得於 audit.
收受前項通知後五日內，以 Due to business factor or other justifiable
書面敘明理由向主管機關申 reason, the audited agency may apply to the
請調整稽核日期。 competent authority for adjustment of the audit
前項申請，除有不可抗 date within five days of the receipt of the preceding
力之事由外，以一次為限。
notice in writing.
The preceding application is limited to one
time except for the case of force majeure.
第五條主管機關辦理第三條 Article 5 In conducting the audit under
第一項之稽核，得要求受稽 Paragraph 1 of Article 3, the competent authority
核機關為資通安全維護計畫
may require the audited agency to give
實施情形之說明、協力或提
explanations on, to collaborate the implementation
出相關之文件、證明資料供
現場查閱，並執行下列事 of cyber security maintenance plan, or provide
項，受稽核機關及其所屬人 relevant documents and supporting information
員應予配合： for onsite inspection, and conduct the following
八、稽核前訪談。 issues. The audited agency and its personnel shall
九、現場實地稽核。 cooperate accordingly:
受稽核機關依法律有正 1. Pre-audit interview.
當理由，未能為前項說明、協
2. Onsite physical audit.
力或提出資料供現場查閱
The audited agency cannot give the
者，應以書面敘明理由，向主
管機關提出。 explanations, collaborate or provide
主管機關收受前項書面 documentation for onsite inspector under the
後，應進行審核，依下列規定 preceding paragraph for justifiable reasons under
176
辦理，並得停止稽核作業之 the law, they shall submit the reasons in writing to
全部或一部： the competent authority.
一、認有理由者，應將審核 Upon receipt the preceding notice in writing,
之依據及相關資訊記載 the competent authority shall verify it and then take
於稽核結果報告。
the following actions, and may suspend all or part
二、認無理由者，應要求受
of the audit operations:
稽核機關依第一項規定
1. If the reasons are considered justifiable, it shall
辦理；已停止稽核作業
record the accordance and relevant information
者，得擇期續行辦理，並
in the audit report.
於十日前以書面通知受
稽核機關。 2. If the reasons are considered groundless, it shall
require the audited agency to follow the
requirements of Paragraph 1; if the audit
operations have been suspended, it may select
other time periods to continue the audit and
deliver the audit program notice in writing to the
audited agency ten days before the audit.
第六條主管機關辦理第三條 Article 6 In conducting the audit under
第一項之稽核，應依同條第 Paragraph 1 of Article 3, the competent authority
二項所定考量因素，就各受
shall form an audit team composed of three to
稽核機關分別組成三人至七
seven persons respectively for each audited
人之稽核小組。
主管機關組成前項稽核 agency, depending on the considerations under
小組時，應考量稽核之需求， Paragraph 2 of the same article.
邀請具備資通安全政策或該 Informing the audit team under the preceding
次稽核所需之技術、管理、法 paragraph, the competent authority shall, taking
律或實務專業知識之公務機 the needs of the audit into consideration, invite
關代表或專家學者擔任小組
representatives of government agencies or experts
成員，其中公務機關代表不
得少於全體成員人數之三分 and scholars who have professional knowledge of
之一。 cyber security policies or have professional
主管機關應以書面與稽 knowledge of technologies, managements, law
核小組成員約定利益衝突之 affairs required for such audit to act as members of
迴避及保密義務。 such team, of which the number of representatives
第二項之公務機關代表
of the government agency may not be less than
或專家學者，有下列情形之
one-third of all members.
ㄧ者，應主動迴避擔任該次
稽核之稽核小組成員： The competent authority shall sign, in writing,
三、本人、其配偶、三親等內 with members of audit teams on recusal due to
親屬、家屬或上開人員 interest conflicts and confidentiality obligations.
財產信託之受託人，與 If the member of audit team under Paragraph
受稽核機關或其負責人 2 has any of the following circumstances, he shall
177
間有財產上或非財產上 avoid himself from acting as the member of that
之利害關係。 audit team:
四、本人、其配偶、三親等內 1. He, his spouse, his relatives within the third
親屬或家屬，與受稽核 degree, his family member, or the trustee of the
機關或其負責人間，目 property trusts of above-mentioned persons
前或過去二年內有僱 have a property or non-property interest
傭、承攬、委任、代理或 relationship with the audited agency or the
其他類似之關係。
responsible person thereof.
五、本人目前或過去二年內
2. He, his spouse, his relatives within the third
任職之機關（構）或單
degree or his family member has employment,
位，曾為受稽核機關之
contract, appointment, agency or other similar
顧問，其輔導項目與受
relationship with the audited agency or the
稽核項目相關。
六、其他情形足認擔任稽核 responsible person in the current or the past two
小組成員，將對稽核結 years.
果之公正性造成影響。 3. He has served in the current or past two years to
be a consultant of the audited agency and his
mentoring project is related to the audit
program.
4. Other circumstance that may be considered that
his role as a member of the audit team might
affect the impartiality of the audit result.
第七條主管機關應於每季所 Article 7 The competent authority shall, within
定受稽核機關之稽核作業完 one month after the completion of the audit
成後一個月內，將稽核結果
operations on the audited agency as designated for
報告交付該季受稽核機關。
each quarter, deliver the audit reports to the
前項稽核結果報告之內
容，應包括稽核之範圍、缺失 audited agencies for the quarter.
或待改善事項、第五條第二 The contents of the preceding audit reports
項所定受稽核機關未能為說 shall include the scope of the audit, flaws or items
明、協力或提出資料供現場 to be improved, the status and reasons for the
查閱之情形、理由與同條第 failures of the audited agency to give explanations,
三項所定主管機關審核結
collaborate or provide documentations for on-site
果，及其他與稽核相關之必
要內容。 inspections under Paragraph 2 of Article 5, and the
audit results of the competent authority under
Paragraph 3 of the same article, and other
necessary contents relating to the audit.
第八條受稽核機關經發現其 Article 8 If flaws or items to be improved are
資通安全維護計畫實施情形 found in the implementation of the cyber security
有缺失或待改善者，應於主
maintenance plan, the audited agency shall submit
管機關交付稽核結果報告後
178
一個月內，依主管機關指定 improvement report in the manner specified by the
之方式提出改善報告，並送 competent authority within one month after the
交中央目的事業主管機關；
competent authority has delivered the audit report,
主管機關及中央目的事業主
and shall deliver the same to the central authority
管機關認有必要時，得要求
該受稽核機關進行說明或調 in charge of the relevant industry. The competent
整。 authority and the central government authority in
前項受稽核機關提出改 charge of the subject industry may require the
善報告後，應依主管機關指 audited agency to give explanations or make
定之方式及時間，提出改善 adjustments when necessary.
報告之執行情形，並送交中
After the improvement reports are submitted
央目的事業主管機關；主管
機關認有必要時，得要求該 under the preceding paragraph, the audited agency
受稽核機關進行說明或調 shall submit the implementation status of the
整。 improvement reports in the manner and within the
timeframe specified by the competent authority,
and shall deliver the same to the central authority
in charge of the relevant industry. The competent
authority may require the audited agency to give
第九條主管機關辦理第三條 Article 9 In conducting the audit under
第一項之稽核，得要求受稽 Paragraph 1 of Article 3, the competent authority
核機關之中央目的事業主管
may require the central authority in charge of the
機關派員為必要協助。
relevant industry with the audited agency to
dispatch personnel for necessary assistance.
第十條本辦法之施行日期， Article 10 The date for enforcement of these
由主管機關定之。 Regulations shall be decided by the competent
authority.
179
資通安全情資分享辦法-英譯對照
資通安全情資分享辦法 Cyber Security Information Sharing Regulations

理法（以下簡稱本法）第八 accordance with Paragraph 2 of Article 8 of the
條第二項規定訂定之。
Cyber Security Management Act (hereinafter
referred to as the Act).
第二條本辦法所稱資通安全 Article 2 The term cyber security information
情資（以下簡稱情資），指 (hereinafter referred to as the Information) as used
包括下列任一款內容之資
in these Regulations refers to the information
訊：
containing any of the following contents:
十四、資通系統之惡意偵察
3. Malicious detections or collections activity of
或情蒐活動。
十五、資通系統之安全漏
4. Security vulnerabilities of information and
洞。
十六、使資通系統安全控制
5. The methods that invalidate the information and
措施無效或利用安全漏
communication systems security control
洞之方法。
measure or make use of the security
十七、與惡意程式相關之資
vulnerability.
訊。
6. The information relating to malicious programs.
十八、資通安全事件造成之
7. The actual damage or possible negative impact
實際損害或可能產生之
caused by cyber security incident.
負面影響。
8. Relevant measures that are taken to detect,
十九、用以偵測、預防或因
prevent from or respond to the circumstances
應前五款情形，或降低
under the preceding five subparagraphs or to
其損害之相關措施。
mitigate the damage.
二十、其他與資通安全事件
9. Other technical information relating to cyber
相關之技術性資訊。
security incidents.
第三條主管機關應就情資分 Article 3 The competent authority shall conduct
享事宜進行國際合作。 international cooperation in the matters of cyber
主管機關應適時與公務 security information sharing.
機關進行情資分享。 The competent authority shall timely conduct
公務機關應適時與主管
cyber security information sharing with the
機關進行情資分享。但情資
government agencies.
已依前項規定分享或已經公
The government agency shall timely conduct
開者，不在此限。
cyber security information sharing with the
中央目的事業主管機關
competent authority, unless such information has
應適時與其所管之特定非公
180
務機關進行情資分享。 been shared under the preceding paragraph or has
特定非公務機關得與中 been disclosed.
央目的事業主管機關進行情 The central authority in charge of relevant
資分享。 industry shall timely conduct cyber security
information sharing with the specific non-
government agency under their charge.
The specific non-government agency may
conduct cyber security information sharing with the
第四條情資有下列情形之一 Article 4 The cyber security information under any of
者，不得分享： the following circumstances may not be shared:
一、涉及個人、法人或團體 1. The information involving business secret or
營業上秘密或經營事業 relating to business operation of individual,
有關之資訊，其公開或 juristic person or group, of which the disclosure
提供有侵害公務機關、 or provision might infringe upon right or other
個人、法人或團體之權 legitimate interest of the government agency,
利或其他正當利益。但 individual, juristic persons or group; unless it is
法規另有規定，或對公 otherwise provided by law, or necessary for
益有必要，或為保護人 public welfare, or necessary for the protection
民生命、身體、健康有必 of the lives, bodies or health of the people, or
要，或經當事人同意者， with consent of the party involved.
不在此限。 2. Other circumstances under which cyber security
二、其他依法規規定應秘密 information should be kept confidential, should
或應限制、禁止公開之 be restricted on or prohibited from disclosure
情形。 thereof.
情資含有前項不得分享 Cyber security information containing contents
之內容者，得僅就其他部分 that may not be shared under the preceding
分享之。
paragraph may be shared to the extent of other
portions only.
第五條公務機關或特定非公 Article 5 In conducting cyber security information
務機關（以下簡稱各機關）進 sharing, the government agency or the specific
行情資分享，應就情資進行
non-government agency (hereinafter referred to
分析及整合，並規劃適當之
as each agency) shall analyze and integrate the
安全維護措施，避免情資內
容、個人資料或依法規規定 information and shall plan the appropriate
不得分享之資訊外洩，或遭 security maintenance measure to prevent breach
未經授權之存取或竄改。 of the content of the information, personal
information, or information that may not be
shared under laws; or the unauthorized access
thereto or the tampering thereof.
181
第六條各機關應就所接受之 Article 6 For the cyber security information
情資，辨識其來源之可靠性 received, each agency shall identify its reliability
及時效性，及時進行威脅與
and timeliness, shall timely conduct an analysis
弱點分析及研判潛在風險，
of threat and vulnerability and make the
並採取對應之預防或應變措
施。 judgment of potential risk, and shall take
corresponding prevention or contingency
measure.
第七條各機關進行情資整合 Article 7 In conducting cyber security information
時，得依情資之來源、接收 integration, each agency may conduct the
日期、可用期間、類別、威
correlation analysis with their internal information
脅指標特性及其他適當項目
based on the source, date of receipt, available
與內部情資進行關聯分析。
periods, and kinds of the information, the extent of
公務機關應就整合後發
現之新型威脅情資進行分 threat index, and other proper items.
享。 The government agency may conduct the cyber
security sharing of the new threat that is found after
the integration.
第八條各機關應就所接收之 Article 8 For the cyber security information received,
情資，採取適當之安全維護 each agency shall take appropriate security
措施，避免情資內容、個人
measures to prevent the breach of the content of
資料或依法規規定不得分享
cyber security information, personal information or
之資訊外洩，或遭未經授權
之存取或竄改。 information that may not be shared under laws; or
the unauthorized access thereto or the tampering
thereof.
第九條各機關進行情資分 Article 9 In conducting cyber security information
享，應分別依主管機關或中 sharing, each agency shall follow the procedure as
央目的事業主管機關指定之
designated by the competent authority or the central
方式為之。
authority in charge of relevant industry,
各機關因故無法依前項
respectively.
規定方式進行情資分享者，
If conducting cyber security information
分別經主管機關或中央目的
事業主管機關同意後，得以 sharing in the manner under the preceding
下列方式之一為之： paragraph is prevented for any reason, each agency
一、書面。 may conduct it in any of the following manners with
二、傳真。 the consent of the competent authority or the central
三、電子郵件。 authority in charge of relevant industry,
四、資訊系統。 respectively:
五、其他適當方式。 1. Written documents.
2. Fax.
3. Email.
182
4. Information system.
5. Other appropriate manner.
第十條未適用本法之個人、 Article 10 Individual, juristic person or organization,
法人或團體，經主管機關或 to whom the Act is not applicable, may conduct
中央目的事業主管機關同意
cyber security information sharing, with the
後，得與其進行情資分享。
consent of the competent authority or the central
主管機關或中央目的事
authority in charge of relevant industry.
業主管機關同意前項個人、
In giving consent to individual, juristic person
法人或團體進行情資分享，
應以書面與其約定應遵守第 or organization for cyber security information
四條至前條之規定。 sharing under the preceding paragraph, the
competent authority or the central authority in
charge of relevant industry shall agree with them in
writing on the provisions of compliance with the
requirements under Article 4 to the preceding
article.
第十一條本辦法施行日期， Article 11 The date for enforcement of these
由主管機關定之。 Regulations shall be decided by the competent
authority.
183

資通安全管理法及子法彙編 英譯 合併檔

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

資通安全管理法及子法彙編 英譯 合併檔

Uploaded by

Copyright:

Available Formats

Cyber Security Management Act

Part 2: The comparison table of Chinese and English ....... 100

Act shall be stipulated by the competent authority.

The implementation date of the Act was stipulated on January 1, 2019.

Chapter 1 General Provision

Article 1 This Cyber Security Management Act (hereinafter referred to

Article 3 The terms under the Act are defined as follows:

1. Information and communication system: That refers to the

2. Information and communication service: That refers to the

3. Cyber security: That refers to such effort to prevent

4. Cyber security incident: That refers to an event where the

5. Government agency: That refers to central, local

6. Specific non-government agency: That refers to critical

7. Critical infrastructure: That refers to asset, system or

8. Critical infrastructure provider: That refers to the ones

9. Government-endowed foundation: That refers to a

Article 4 In an effort to promote cyber security, the government shall

1. Cultivation of cyber security professionals.

2. Cyber security technology research and development,

4. Development of cyber security related software and

Issues Promotion in the preceding Paragraph shall be

The status report, summary auditing report and the national

Article 6 The competent authority may commission or entrust other

Article 7 The competent authority shall stipulate the cyber security

The competent authority may audit a specific non-

A specific non-government agency is audited as per

Article 8 The competent authority shall set up the cyber security

Regulation regarding analysis, integration, and the sharing of

Article 9 A government agency or specific non-government agency

Chapter 2 Government Agency Cyber Security Management

Article 10 A government agency shall satisfy the requirements of the

Article 12 A government agency shall submit to the superior or

Article 13 A government agency shall audit the subordinate authority

When an agency is audited and found defective or needing

Article 14 To cope with cyber security incident, a government agency

When privy to a cyber security incident, the government

A government agency shall file a report on the investigation,

Regulations regarding the essentials of the reporting and

Article 15 Personnel with proven performance in cyber security

Regulations for such incentive award in the preceding

Chapter 3 Specific Non-Government Agency Cyber Security

Article 16 The central authority in charge of relevant industry shall,

A critical infrastructure provider shall submit to the central

The central authority in charge of relevant industry shall

When a critical infrastructure provider is audited and found

Regulations regarding the essentials of the cyber security

The central authority in charge of relevant industry may

The central authority in charge of relevant industry may

Regulations regarding the essentials of the cyber security

Article 18 To cope with cyber security incident, a specific non-

When privy to a cyber security incident, a specific non-

A specific non-government agency shall file a report on the

Regulations regarding the essentials of the reporting and

When privy to asevere cyber security incident, the

Regulations for such penalty in the preceding Paragraph

Article 20 If aspecific non-government agency has one among those

1. If it fails to stipulate, amend or implementthe cyber

2. If it fails to submit the report on implementation of the

3. If it fails the requirements under Paragraph 3 of Article

4. If it fails to stipulate the reporting and responding

5. If it fails the requirements under Paragraph 3 of Article

6. If it violates the regulation regarding the contents of

資通安全管理法及子法彙編英譯合併檔

資通安全管理法及子法彙編英譯合併檔