Goto Main Content
:::

Chapter Law Content

Chapter III-1 Information Security Management
Article 80-1
Upon receipt of the concession license, the operator shall establish information security protection and detection facilities within one year, and pass the following information security management verification within two years:
1. The national standard CNS 27001 or the international standard ISO/IEC 27001.
2. The New Item Audit Form of the Telecommunications Enterprise Information Security Management Manual ISO/IEC 27011 announced by the competent authority.
Operators that have already obtained a concession permit prior to the amendment to Regulations on May 22, 2017 shall establish information security protection and detection facilities within a year after the amended promulgation date, and shall pass above-mentioned information security management verification within two years after the said date.
The implementation of verification and information security protection and detection facilities as described in the preceding two paragraphs shall be reported to the competent authority for approval.
Where the operator falls under any of the following circumstances, an amendment shall be made to the implementation of the verification described in Paragraph 1 and Paragraph 2 according to the notification of competent authority. An approval shall also be received from the competent authority and the operator shall pass the information security management verification within the prescribed deadline notified by the competent authority:
1. Where the information security incident that has occurred to the system reached level 3 of the level of concern as described in Regulations Governing National Information Security Reporting and Responding Operations.
2. Where relevant agency has notified a potential harm to the national or information security.
Where there is any potential harm to national or information security, the competent authority, upon receipt of relevant agency’s notification, may require the operator to shorten the period aforementioned in Paragraph 1 and Paragraph 2.
The operator shall not only conduct penetration test (PT), weakness scanning and maintenance work on a regular basis, but also establish defense and response measures to notify, handle and report information security incidents in accordance with the information security response operating procedures announced by the competent authority
Where an information security incident takes place, the operator shall, according to information security incident notified by the competent authority, conduct emergency response measures, retain relevant records, and report to the competent authority. The said records shall be preserved for at least six months.
Article 80-2
The operator’s telecommunications equipment room or internet data center shall be established with a physical isolation and be equipped with an independent entrance / exit.
The access control security management systems, including all-weather intrusion alerts and video surveillance, shall be installed at the entrance / exit as described in the preceding paragraph. The alerts and recorded videos shall be preserved for at least six months.
The telecommunications equipment room or internet data center as described in Paragraph 1 shall be prohibited to access, except for those with the installation, maintenance, monitoring or other operational purposes that are deemed necessary.
The operator shall set respective security management and operation rules for different telecommunications equipment rooms and / or internet data centers; the rules shall be reported to the competent authority for reference.
The security management and operation rules in the preceding paragraph shall include at least the following items:
1. Division of rights and responsibilities: including the authorities related to the security maintenance zone, responsible units, staff organization and duties, and access to the telecommunications equipment room (internet data center).
2. Access control management: including the management of identification (name and ID card or passport number), organization (institution), entry (exit) time, and entry (exit) purposes of staffs, subcontractors, visitors or internet data center guests who enter the telecommunications equipment room (internet data center); auditor’s audit records; and objects entering (exiting) the room (center).
3. Maintenance management: management of the maintenance works conducted by internal staffs or subcontractors.
4. Environment management: management of fire fighting, security, electricity and relevant facilities.
5. Management records: including the access management, maintenance and environment maintenance records.
6. Audit operations: shall include regular and irregular audit works.
The management records of Subparagraph V of the preceding paragraph shall be preserved for at least six months.
The competent authority, depending on operators’ status of implementation, may require the operator to make amendments to their security management and operation rules for telecommunications equipment room (internet data center) of Subparagraph IV.
Operators shall implement security management and operation rules for telecommunications equipment room (internet data center) of Subparagraph IV; the competent authority may send personnel to conduct audit works on a regular basis or depending on the actual needs.
Article 80-3
Where the operator has established an internet data center for other telecommunications enterprises to place their telecommunications equipment in order to provide telecommunications services, the space leased to other telecommunications enterprises shall be physically isolated and equipped with an independent entrance / exit.
Where the said space does not comply with provisions of the preceding paragraph, the operator shall undertake corrective action within a year after the amendment of the Regulations on May 22, 2017. Those who fail to make corrections within the prescribed deadline shall, prior to the expiry of deadline, apply to the competent authority for an extension with reasons specified; the extension shall not be longer than six months and shall be limited to one time only.
Article 80-4
Where there is any individual who can potentially harm the national security, the national or information security relevant agency shall notify the competent authority; upon receipt of the notification of the competent authority, the operator shall prohibit the said person from entering the telecommunications equipment room or internet data center.
Article 80-5
Where the outsourced design is related to the information system software of network system resources, users’ personal data and telecommunications content, or the maintenance system, the operator shall report it to the competent authority for reference. The maintenance operations shall be monitored by staff of the telecommunications equipment room; all system connection instructions shall be recorded by the staff; relevant records shall be retained for at least six months.
Operators shall not entrust any individual who can potentially cause national security to design the information system software of network system resources, users’ personal data and telecommunications content, or to maintain and test the connection of remote systems.