Chapter III-1 Information Security Management
Article 83-1
Upon receipt of the concession license, the operator shall establish information security protection and detection facilities within one year, and pass the following information security management verification within two years:
1.The national standard CNS 27001 or the international standard ISO/IEC 27001.
2.The New Item Audit Form of the Telecommunications Enterprise Information Security Management Manual ISO/IEC 27011 announced by the competent authority.
Operators that have already obtained a concession permit prior to the amendment to Regulations on May 22, 2017 shall establish information security protection and detection facilities within a year after the amended promulgation date, and shall pass above-mentioned information security management verification within two years after the said date.
The implementation of verification and information security protection and detection facilities as described in the preceding two paragraphs shall be reported to the competent authority for approval.
Where the operator falls under any of the following circumstances, an amendment shall be made to the implementation of the verification described in Paragraph 1 and Paragraph 2 according to the notification of competent authority. An approval shall also be received from the competent authority and the operator shall pass the information security management verification within the prescribed deadline notified by the competent authority:
1.Where the information security incident that has occurred to the system reached level 3 of the level of concern as described in Regulations Governing National Information Security Reporting and Responding Operations.
2.Where relevant agency has notified a potential harm to the nationalor information security.
Where there is any potential harm to national or information security, the competent authority, upon receipt of relevant agency's notification, may require the operator to shorten the period aforementioned in Paragraph 1 and Paragraph 2.
The operator shall not only conduct penetration test (PT), weakness scanning and maintenance work on a regular basis, but also establish defense and response measures to notify, handle and report information security incidents in accordance with the information security response operating procedures announced by the competent authority.
Where an information security incident takes place, the operator shall, according to information security incident notified by the competent authority, conduct emergency response measures, retain relevant records, and report to the competent authority. The said records shall be preserved for at least six months.
Article 83-2
The operator's telecommunications equipment room or internet data center shall be established with a physical isolation and be equipped with an independent entrance / exit.
The access control security management systems, including all-weather intrusion alerts and video surveillance, shall be installed at the entrance / exit as described in the preceding Paragraph. The alerts and recorded videos shall be preserved for at least six months.
The telecommunications equipment room or internet data center as described in Paragraph 1 shall be prohibited to access, except for those with the installation, maintenance, monitoring or other operational purposes that are deemed necessary.
The operator shall set respective security management and operation rules for different telecommunications equipment rooms and / or internet data centers; the rules shall be reported to the competent authority for reference.
The security management and operation rules in the preceding Paragraph shall include at least the following items:
1.Division of rights and responsibilities: including the authorities related to the security maintenance zone, responsible units, staff organization and duties, and access to the telecommunications equipment room (internet data center).
2.Access control management: including the management of identification (name and ID card or passport number), organization (institution), entry (exit) time, and entry (exit) purposes of staffs, subcontractors, visitors or internet data center guests who enter the telecommunications equipment room (internet data center); auditor's audit records; and objects entering (exiting) the room (center).
3.Maintenance management: management of the maintenance works conducted by internal staffs or subcontractors.
4.Environment management: management of fire fighting, security, electricity and relevant facilities.
5.Management records: including the access management, maintenance and environment maintenance records.
6.Audit operations: shall include regular and irregular audit works.
The management records of Subparagraph 5 of the preceding Paragraph shall be preserved for at least six months.
The competent authority, depending on operators' status of implementation, may require the operator to make amendments to their security management and operation rules for telecommunications equipment room (internet data center) of Subparagraph 4.
Operators shall implement security management and operation rules for telecommunications equipment room (internet data center) of Subparagraph 4; the competent authority may send personnel to conduct audit works on a regular basis or depending on the actual needs.
Article 83-3
Where the operator has established an internet data center for other telecommunications enterprises to place their telecommunications equipment in order to provide telecommunications services, the space leased to other telecommunications enterprises shall be physically isolated and equipped with an independent entrance / exit.
Where the said space does not comply with provisions of the preceding Paragraph, the operator shall undertake corrective action within a year after the amendment of the Regulations on May 22, 2017. Those who fail to make corrections within the prescribed deadline shall, prior to the expiry of deadline, apply to the competent authority for an extension with reasons specified; the extension shall not be longer than six months and shall be limited to one time only.
Article 83-4
Where there is any individual who can potentially harm the national security, the national or information security relevant agency shall notify the competent authority; upon receipt of the notification of the competent authority, the operator shall prohibit the said person from entering the telecommunications equipment room or internet data center.
Article 83-5
An operator that plans toentrust otherpartiesto design and develop network system resourcesor maintenance system involving network system resources and users' personal information and communication content, operators shall first report to the competent authority for reference. Maintenance operationsshall be fully monitored by the staff of the telecommunications equipment room, and the operating instructions of the system connection shall be fully recorded. Afileof the said maintenanceshall be kept on recordfor aminimum ofsix months.
Operators shall not entrust personnel suspected of endangering national security for the design and development of the information and communications system software related to network system resources and users' personal information and communication content, and remote system connection maintenance and testing operations.