These Regulations are enacted in accordance with the provisions of Paragraphs 1 and 5 of Article 42 of the Telecommunications Management Act and shall apply to stations set up by radio and television business operators.
The establisher of PSTN (hereinafter referred to as the establisher) shall, within three months from the date of notification by the competent authority, conduct an inventory check and self-evaluation by means of the critical telecommunications infrastructure survey form (hereinafter referred to as the survey form) announced by the competent authority. After completion of the inventory check and self-evaluation of various telecommunication infrastructures of PSTN, the establisher shall submit the information to the competent authority.
Should the items in the survey form in the preceding paragraph be deemed incomplete, the establisher shall be notified by the competent authority to undertake corrective action within a prescribed period of time.
After reviewing the survey form in accordance with the preceding article, the competent authority may designate all or part of the public telecommunications network as primary, secondary or tertiary critical telecommunications infrastructure.
The designation criteria for the examination in the preceding paragraph shall be announced by the competent authority.
The establisher of critical telecommunications infrastructure (hereinafter referred to as the critical telecommunications infrastructure establisher ) shall, within three months after the competent authority designates the critical telecommunications infrastructure and its level, in accordance with the format and items specified in the critical telecommunications infrastructure security protection plan template, formulate its critical telecommunications infrastructure protection plan and submit it to the competent authority for evaluation.
Should the critical telecommunications infrastructure protection plan submitted by the critical telecommunications infrastructure establisher be deemed incomplete, the establisher shall be notified by the competent authority to undertake corrective action within a prescribed period of time.
The critical telecommunications infrastructure establisher shall be implemented in accordance with the critical telecommunications infrastructure protection plan assessed by the competent authority; any changes to the critical telecommunications infrastructure protection plan shall be reported to the competent authority for reassessment.
The benchmark items used by the competent authority to assess critical telecommunications infrastructure protection plans shall be as follows:
1. Objectives and protection organization: This shall specify the planning basis, facility level, basic facility information, facility safety protection goals, facility protection management team, importance of facility, etc.;
2. Inventory of information and communication systems: shall specify facilities, systems, networks, external key resources, and internal necessary assets;
3. Risk assessment: shall specify threat identification, impact assessment, and the impact of key resource interruption;
4. Scope of protection: shall specify disaster mitigation strategies and order of priority of enhancement projects;
5. Control measures and implementation: shall specify the notification and contingency plans of various disaster threats (natural, man-made, and information security) in the four stages of prevention, disaster reduction, response, and recovery, and the protection and management of internal necessary assets and external critical resources projects and priorities of implementation;
6. The effectiveness of implementation: shall specify exercise plans, work items, measurement frequency and basis, review and improvement projects, and improvement progress mastering and tracking for determining effectiveness of the implementation of various plans and standard operating procedures (SOP).
The competent authority may designate the critical telecommunications infrastructure establisher to conduct drills in accordance with its assessed protection plan, and undertake evaluation of the drills.
Should there be any issues in need of improvement after evaluation of the drills of the preceding paragraph, the critical telecommunications infrastructure establisher shall undertake corrective action within a specific period as notified by the competent authority.
the critical telecommunications infrastructure establisher shall regularly undertake inventory checks and self-evaluation of the various telecommunications infrastructure of their PSTN according to the survey form; should there be any change in the results of their inventory and self-evaluation, the from shall be submitted to the competent authority for reference. When necessary, the competent authority may re-assess the critical infrastructure level based on the survey form; and designated benchmarks.
Unless otherwise provided for in these Regulations, the relevant forms and tables stipulated in these Regulations shall be separately announced by the competent authority.
These Regulations shall be implemented from the date of promulgation of the Act.