Goto Main Content
:::

Chapter Law Content

Title: Regulations for Administration on Type II Telecommunications Business CH
Category: National Communications Commission(國家通訊傳播委員會)
Chapter 4-1 Information and Communication Security Management
Article 31-1
In one of the following conditions, operators shall construct information and communication security protection and detection facilities within one year upon receiving notification from the Competent Authority and conduct penetration tests, vulnerability scanning and maintenance and repairs on a regular basis. In addition, operators shall pass ISO/IEC 27001 international standards and information and communication security management verification on the added check list of ISO/IEC 27001 telecommunications business information and communication security management publication issued by the Competent Authority. The implementation of the verification shall be reported to the Competent Authority for approval and shall include the items of verification:
I. When the system of operators reaches the third level or above in Guidelines for Report and Response Operations for National Information and Communication Security.
II. In the case of potential harm to national security or information and communication security and is notified by relevant organizations.
III. When key points, the number of users or scale of use, and control of operations and facilities are considered necessary by the Competent Authority.
During the period of the preceding paragraph, the Competent Authority shall notify operators of the reduction of this period upon receiving notification from organizations related to national security or information and communication security.
Operators applying for Type II Telecommunications Business shall submit information and communication security protection and detection facility proposals and are obliged to pass the information and communication security management verification of Paragraph 1 prior to obtaining their licenses when key points, the number of users or scale of use, and control of operations and facilities are considered necessary by the Competent Authority.
Operators referred to in Paragraph 1 shall establish joint defense and response measures, such as notifying, treating, and reporting measures for information and communication security incidents in accordance with the information and communication security response operation procedure promulgated by the Competent Authority.
In the case of information and communication security incidents, operators shall conduct emergency response measures, maintain records, and report to the Competent Authority for future reference in accordance with information and communication security incidents reported by the Competent Authority. In addition, the records shall be kept for at least six months.
Article 31-2
Operators that establish telecommunications equipment rooms shall maintain a control journal to record the names, I.D. numbers or passport numbers, organizations (agencies), incoming and outgoing time and purposes of personnel coming in or going out and the reexamination records of reexamination personnel. The work journals shall be kept for at least six months.
The telecommunications equipment rooms mentioned in the preceding paragraph shall include Internet management centers.
The entrances and exits of telecommunications equipment rooms shall be installed with videotaping equipment for monitoring and recording, the records of which shall be kept for at least six months.
Upon receiving notification from the Competent Authority, which was informed by organizations related to national security or information and communication security, operators shall forbid personnel that may harm national security to enter telecommunications equipment rooms.
Article 31-3
Operators shall report to the Competent Authority for future reference; operators shall request personnel of telecommunications equipment rooms to monitor maintenance and operation tasks and thoroughly record operational instructions for system connection if they entrust other parties to design information system software or to maintain and operate systems involving Internet system resources, users' information and communication content. The records shall be kept for at least six months.
Upon receiving notification from the Competent Authority, which was informed by organizations related to national security or information and communication security, operators shall not entrust personnel who may harm national security to conduct information system software design, the maintenance and operation of remote system connection and testing operation involving Internet system resources, users' information and communication content.