資通系統安全要求 Information and communication system security requirements
資通系統的安全要求主要是由政府法規、標準及相關指引進行規範,以確保公私部門的資訊安全。以下是主要資通安全法規與標準:
The security requirements of information and communication systems are mainly regulated by government regulations, standards and related guidelines to ensure information security in the public and private sectors. The following are the main Cyber Security Management Act security regulations and standards:
📌資通安全管理法(Cyber Security Management Act, CSMA)
✅ 適用對象:政府機關、公營事業、關鍵基礎設施營運者(如金融、電信、能源、醫療等)。
✅ 主要內容:
資安責任歸屬:明確規定機關與企業須落實資安責任。
分級管理制度:依照機關或企業的影響層級,分為「A、B、C、D、E」五級,並規範不同資安要求。
資安通報機制:發生資安事件時,須依規定時限向主管機關通報。
定期資安檢測:關鍵基礎設施業者須每年進行資安檢測與演練。
✅ 罰則:若未依規定落實資安管理,最高可處新台幣30萬元以上 500 萬元以下罰鍰。
✅ Applicable objects: government agencies, public utilities, and operators of critical infrastructure (such as finance, telecommunications, energy, and medical care).
✅ Main content:
Assignment of information security responsibilities: Clearly stipulate that government agencies and enterprises must fulfill their information security responsibilities.
Hierarchical management system: According to the influence level of the agency or enterprise, it is divided into five levels: "A, B, C, D, E", and standardizes different information security requirements.
Information security reporting mechanism: When an information security incident occurs, it must be reported to the competent authority within the prescribed time limit.
Regular information security testing: Critical infrastructure operators must conduct information security testing and drills every year.
✅ Penalty: If information security management is not implemented in accordance with regulations, a fine of up to NT$300,000 to NT$5,000,000 may be imposed.
✅ 適用對象:所有蒐集、處理、利用個資的公私部門。
✅ 主要內容:
個資處理原則:企業應明確告知個資用途,並取得當事人同意。
資料保護措施:應採取適當的技術與管理措施,防止個資外洩。
個資外洩通報:若發生個資外洩,應立即通知當事人與主管機關。
✅ 罰則:若違反個資保護規定,最高可罰新台幣 200 萬元,情節重大者可加重至 1,000 萬元。
✅ 適用對象:政府機關、公務單位、特定非公務機關、關鍵基礎設施業者、企業資安團隊。
✅ 主要內容:
台灣電腦網路危機處理中心 (TWCERT/CC) 負責資安事件應變與情報共享。
提供惡意軟體分析、漏洞預警、資安攻擊趨勢報告等資訊。
✅Applicable to: government agencies, public agencies, specific non-public agencies, critical infrastructure companies, and corporate information security teams.
✅ Main content:
The Taiwan Computer Crisis Center (TWCERT/CC) is responsible for security incident response and intelligence sharing.
Provide information such as malware analysis, vulnerability warnings, and information security attack trend reports.
✅ 適用對象:電信、金融、能源、醫療、交通等關鍵產業。
✅ 主要內容:
政府機關或關鍵基礎設施營運者,須建立資安防護措施,如端點安全、防火牆、入侵偵測系統 (IDS/IPS)。
需通過定期資安稽核與演練,確保能有效應對資安事件。
✅Applicable to: telecommunications, finance, energy, medical care, transportation and other key industries.
✅ Main content:
Government agencies or critical infrastructure operators must establish information security protection measures such as endpoint security, firewalls, and intrusion detection systems (IDS/IPS).
Conduct regular cyber security audits and drills to ensure effective response to cyber security incidents.
✅ 適用對象:銀行、保險、證券、第三方支付機構。
✅ 主要內容:
F-ISAC (金融資安資訊分享與分析中心):共享金融業資安情資,提升防禦能力。
PCI-DSS (支付卡產業資安標準):確保信用卡交易安全,如加密存取、強制 MFA、限制存取權限等。
ISO 27017:專門針對雲端服務的資安標準,適用於金融機構雲端架構。
✅ Applicable to: banks, insurance, securities, and third-party payment institutions.
✅ Main content:
F-ISAC (Financial Security Information Sharing and Analysis Center): Share financial industry security intelligence and enhance defense capabilities.
PCI-DSS (Payment Card Industry Security Standard): Ensures the security of credit card transactions, such as encrypted access, mandatory MFA, and restricted access permissions.
ISO 27017: A security standard specifically for cloud services, suitable for the cloud architecture of financial institutions.
✅ 符合「資通安全管理法」,落實資安責任與通報機制。
✅ 個資保護應遵循「個資法」,加密存取並建立外洩應變計畫。
✅ 政府機關與企業應依「ISO 27001 / CNS 27001」標準建置資安管理制度。
✅ 關鍵基礎設施與金融業需強化資安防護,定期演練與風險評估。
✅ 資安事件應透過「TWCERT/CC」通報機制,確保即時應變。
我國資通安全管理涵蓋 法規(CSMA、個資法)、標準(ISO 27001、PCI-DSS)、通報機制(TWCERT/CC),各產業應依照適用規範強化資安,確保資訊系統安全,降低攻擊與資料外洩風險。
✅Comply with the Information and Communications Security Management Act and implement information security responsibilities and reporting mechanisms.
✅Personal information protection should comply with the Personal Information Act, encrypt access and establish a leakage response plan.
✅Government agencies and enterprises should establish information security management systems based on the "ISO 27001/CNS 27001" standards.
✅Critical infrastructure and the financial industry need to strengthen information security protection and conduct regular drills and risk assessments.
✅ Information security incidents should be reported through the "TWCERT/CC" mechanism to ensure immediate response.
Taiwan's ICT security management covers regulations (CSMA, Personal Data Protection Act), standards (ISO 27001, PCI-DSS), and reporting mechanisms (TWCERT/CC). All industries should strengthen information security protection in accordance with relevant regulations, ensure the security of information systems, and reduce the risk of attacks and data leakage.
