Chapter 5 Cyber Security Management
Article 18
The cyber security management requirements set forth in this chapter do not apply to community-based and regional broadcasting enterprises.
The requirement in the preceding paragraph may be reviewed and amended by the competent authority as needed.
Article 19
The station equipment room of a wireless radio or television enterprise shall be isolated physically from the equipment rooms and equipment of other non-communications or broadcasting related enterprises, and provided with independent access management.
For the access management mentioned in the preceding paragraph, an access security management system capable of all-weather trespassing warning or video surveillance shall be provided. The warnings or video records shall be kept for 6 months at least.
No access shall be granted for the station equipment room mentioned in Paragraph 1, except for installation, maintenance, supervision or any other purpose necessary for operations.
The wireless radio or television enterprise shall develop a complete set of equipment room security management rules for the station equipment room established, and submit the rules to the competent authority for reference.
The security management rules for the station equipment room shall contain at least the following:
1. Division of responsibilities: this includes security maintenance areas, responsible units, staffing and duties, authorization of staff access to the equipment room, etc.
2. Access management: this includes the management of the identity of staff members, contractors or visitors, such as their name, personal ID number or passport number, their organization(department), time and purpose of access, review records of the reviewer, and objects in and out of equipment room.
3. Operation management: this includes the management of operation maintenance by staff or equipment room servicing by contractors.
4. Environmental management: this includes the management of firefighting, security, power and relevant facilities.
5. Management record: this includes records of access management, operation management and environmental management.
6. Auditing: this includes scheduled and unscheduled audits.
The management records mentioned in Subparagraph 5 of the preceding paragraph shall be kept for at least 6 months.
For the equipment room security management rules for the station equipment room mentioned in Paragraph 4, the competent authority may request amendment by the wireless radio or television enterprise depending on the actual implementation by the wireless radio or television enterprise.
The wireless radio or television enterprise shall implement the equipment room security management rules for the station equipment room mentioned in Paragraph 4 and the competent authority may send a representative for inspection periodically or as needed.
Article 20
For those who are identified by the competent authority as of national security concerns as notified by the government authority of national security or cyber security, the wireless radio or television enterprise shall deny their access to station equipment room as notified by the competent authority.
Article 21
In the case that a wireless radio or television enterprise entrusts a third person to design and develop information/communication system software or operation maintenance system involving network system resource, a report shall be submitted to the competent authority for reference. The operation maintenance shall be supervised by staff throughout the entire process. System connection commands shall be kept in a log file which shall be maintained for at least 6 months.
A wireless radio or television enterprise shall not entrust a person of national security concern for the design and development of information/communication system software, remote system connection maintenance and testing involving network system resource.
Article 22
The matters specified in Articles 19 through 21 shall be in place in a year after these Regulations are promulgated.