MONITORING: Government agencies that handle sensitive data and some state-run companies would be given a higher clearance level, according to a new plan
By Lee Hsin-fang / Staff reporter
The Department of Cyber Security has proposed a five-tiered information security protection system, pending the approval of the Executive Yuan.
Under the proposal, the nation’s more than 10,000 central and local government agencies would be assigned a security clearance level from “A” to “E,” with “A” indicating agencies entrusted with the most sensitive data, a source close to the matter said.
Agencies to be granted top-level clearance include the Ministry of Foreign Affairs, whose Bureau of Consular Affairs keeps people’s departure records; the Ministry of the Interior, which keeps household registration data; the Ministry of Health and Welfare, which manages the National Health Insurance system; and the six special municipalities’ governments and their departments, the source said.
State-run companies, such as Taiwan Power Co （台電）, CPC Corp, Taiwan （中油）, Taiwan Water Corp （台水） and the Taiwan Railways Administration, as well as public medical centers and science parks would also be granted top-level clearance, they said.
A number of third-tier government agencies, including the Central Weather Bureau, the Civil Aeronautics Administration and the Directorate-General of Highways, are also expected to be given level A clearance, the source said.
The Executive Yuan would wait for government agencies to provide a list of departments charged with overseeing “key infrastructure” before assigning a clearance level to them, they said.
It is expected to complete the process by the end of this month and notify the agencies, the source said.
Level A agencies must perform two information security audits per year and run annual business continuity plans that simulate their core service systems being neutralized, according the Executive Yuan’s guidelines for the determination of clearance levels.
They are also required to run two tests on their core information and communications systems and a test of malignant activities targeting their network annually, according to the guidelines.
They must have four information security officers that must not be assigned other roles, the guidelines say.
Local governments other than the six special municipality governments could be given level B clearance, in which case they would need to perform one annual information security audit and one business continuity drill every two years, the source said.
Level E agencies refer to those whose information security is maintained by their governing agencies or whose work do not involve information and communication services.
Personnel at these agencies would be required to complete three hours of information security training annually, according to the proposal.
The entrance to the Executive Yuan is pictured in Taipei on Sept. 7, 2017. Photo: Huang Yao-cheng, Taipei Times