📌存取控制 Access Control
✅帳號管理 Account management
普級:General system:
建立帳號管理機制,包括帳號的申請、建立、修改、啟用、停用及刪除程序。
Establish account management mechanisms, including processes for account application, creation, modification, activation, deactivation, and deletion.
中級:Intermediate System:
定期審核資通系統帳號的申請、建立、修改、啟用、停用及刪除。
對已逾期的臨時或緊急帳號進行刪除或禁用。
對閒置帳號進行禁用。
包含「普級」的所有控制措施。
Regularly review the application, creation, modification, activation, deactivation and deletion of information and communication system accounts.
Delete or deactivate temporary or emergency accounts that have expired.
Deactivate inactive accounts.
Includes all controls at the General Level.
高級:Advanced Systems:
✅最小權限 Minimum permissions
採取最小權限原則,僅允許使用者或程序依機關任務及業務功能,獲得完成指派任務所需的授權存取。
Adopt the principle of least privilege, allowing users or programs only to obtain the authorized access required to complete assigned tasks based on organizational tasks and business functions.
✅遠端存取 Remote access
✅身分驗證機制 Identity verification mechanism
普級:General system:
身分驗證機制應防範自動化程式的登入或密碼更換嘗試。
密碼重設機制應在重新確認使用者身分後,發送一次性且具有時效性的符記。
使用預設密碼登入系統時,應於登入後要求立即變更。
身分驗證相關資訊不以明文傳輸。
具備帳戶鎖定機制,當帳號登入驗證失敗達五次後,至少十五分鐘內不允許該帳號繼續嘗試登入,或使用機關自建的失敗驗證機制。
基於密碼的鑑別資通系統應強制最低密碼複雜度,並強制密碼最短及最長的效期限制。
使用者更換密碼時,至少不可以與前三次使用過的密碼相同。
Authentication mechanisms should prevent automated log-in or password change attempts.
Password reset mechanisms should send a one-time, time-limited token after reauthenticating the user.
When logging into the system using a default password, you should request to change the password immediately after logging in.
Identity verification related information is never sent in clear text.
Establish account lockout mechanisms. If an account fails to log in five times, the account will not be allowed to log in for at least 15 minutes, or a self-built failure verification mechanism will be used.
Password-based authentication systems should enforce minimum password complexity and enforce minimum and maximum password expiration dates.
When the user changes the password, the password cannot be the same as the three previous passwords used.
中級:Intermediate System:
在「普級」要求的基礎上,應對帳號的網路或本機存取採取多重認證技術。
On the basis of "general level" requirements, multi-factor authentication technology should be established for network or local access to accounts.
高級:Advanced Systems:
在「中級」要求的基礎上,應定義各系統的閒置時間或可使用期限,並根據資通系統的使用情況及條件,當超過允許的閒置時間或可使用期限時,系統應自動將使用者登出。
Based on the "Intermediate" requirements, the idle time or usable period of each system should be defined, and based on the usage and conditions of the information and communication system, the system should automatically log out the user when the allowed idle time or usable period is exceeded.
✅驗證資訊保護 Verification Information Protection
普級:General system:
應確保驗證資訊(如密碼)以安全的方式儲存和傳輸,避免明文存放或未加密傳輸。
Ensure that authentication information (such as passwords) is stored and transmitted in a secure manner and avoid storing it in plain text or transmitting it without encryption.
中級:Intermediate System:
在普級要求的基礎上,應定期檢查驗證資訊的安全性,並採取措施防止驗證資訊的洩露或未經授權的存取。
On the basis of general requirements, the security of verification information should be checked regularly and measures should be taken to prevent leakage or unauthorized access to verification information.
高級:Advanced Systems:
在中級要求的基礎上,應實施嚴格的驗證資訊管理策略,包括定期更換驗證資訊、限制重複使用等,以確保驗證資訊的安全性。
On the basis of the intermediate requirements, a strict verification information management strategy should be implemented, including regular replacement of verification information, limiting reuse, etc., to ensure the security of verification information.
✅驗證失敗處理 Verification failure handling
普級:General system
應設定驗證失敗的處理機制,例如在多次驗證失敗後暫時鎖定帳號,以防止暴力破解攻擊。
A mechanism should be set up to handle authentication failures, such as temporarily locking the account after multiple authentication failures, to prevent brute force attacks.
中級:Intermediate System
在普級要求的基礎上,應記錄驗證失敗的事件,並定期審查,以發現可能的安全威脅。
As a general requirement, authentication failures should be logged and reviewed regularly to identify possible security threats.
高級:Advanced Systems
在中級要求的基礎上,應實施即時的驗證失敗監控機制,並在發現異常時立即採取應對措施。
Based on the intermediate requirements, an immediate verification fault monitoring mechanism should be established to take immediate response measures when an abnormality is found.
📌資通系統開發與維護 ICT system development and maintenance
✅系統開發安全System Development Security
普級:General system
在系統開發過程中,應納入資通安全需求,並進行安全性測試。
During the system development process, information and communications security requirements should be incorporated and security testing should be performed.
中級:Intermediate System
在系統開發過程中,應納入資通安全需求,並進行安全性測試。
在系統上線前,應進行安全性評估。
During the system development process, information and communications security requirements should be incorporated and security testing should be performed.
Before the system goes online, a security assessment should be conducted
高級:Advanced Systems:
在系統開發過程中,應納入資通安全需求,並進行安全性測試。
在系統上線前,應進行安全性評估。
在系統上線後,應定期進行安全性檢測。
During the system development process, information and communications security requirements should be incorporated and security testing should be performed.
A security assessment should be conducted before the system goes live.
After the system goes online, security testing should be performed regularly.
✅程式變更管理 Program Change Management
普級:General system
建立程式變更管理程序,確保變更經過授權、測試及文件化。
Establish a program change management procedure to ensure changes are authorized, tested and documented.
中級:Intermediate System
建立程式變更管理程序,確保變更經過授權、測試及文件化。
對關鍵程式的變更,應進行影響評估。
Establish a program change management procedure to ensure changes are authorized, tested, and documented.
The impact of changes in agenda processes should be assessed.
高級:Advanced Systems
建立程式變更管理程序,確保變更經過授權、測試及文件化。
對關鍵程式的變更,應進行影響評估。
對程式變更進行審計,確保符合資通安全要求。
Establish a program change management procedure to ensure changes are authorized, tested and documented.
The impact of changes in agenda processes should be assessed.
o Audit program changes to ensure compliance with information security requirements.
✅系統發展生命週期部署與維運階段System development life cycle deployment and maintenance phase
普級:General system
在部署環境中,針對相關資通安全威脅進行更新與修補,並關閉不必要的服務及埠口。
資通系統不使用預設密碼。
In the deployment environment, update and patch related information and communications security threats, and shut down unnecessary services and ports.
The ICT system does not use default passwords.
中級:Intermediate System
高級:Advanced Systems
在「中級」要求的基礎上,針對安全需求實作必要控制措施。
Based on the “Intermediate” requirements, implement necessary control measures based on security needs.
📌資通系統運作 Information and Communication System Operation
✅日誌管理-日誌至少留存6個月 Log management-logs are retained for at least 6 months
普級:General system
中級:Intermediate System
資通系統應產生日誌,記錄使用者活動、系統事件等。
日誌應定期備份,並妥善保存。
Information and communications systems should generate logs to record user activities, system events, etc.
Logs should be backed up regularly and stored properly.
高級:Advanced Systems
資通系統應產生日誌,記錄使用者活動、系統事件等。
日誌應定期備份,並妥善保存。
應定期審查日誌,發現異常時,應立即處理。
Information and communications systems should generate logs to record user activities, system events, etc.
Logs should be backed up regularly and stored properly.
Logs should be reviewed regularly and any anomalies found should be addressed immediately.
✅惡意程式防護 Malware Protection
普級:General system
中級:Intermediate System
資通系統應採取措施,防止惡意程式的侵入與擴散。
應定期更新惡意程式防護軟體。
應定期進行惡意程式檢測,並評估防護措施的有效性。
Information and communication systems should take measures to prevent the intrusion and spread of malicious programs.
Malware protection software should be updated regularly.
Malware detection should be performed regularly and the effectiveness of protective measures should be evaluated.
📌通訊與作業管理 Communications and Operations Management
✅網路安全管理 Network Security Management
普級:General system
中級:Intermediate System
網路作業與安全準則,應採「原則禁止,例外開放」方式管理,並進行存取日誌存錄及流量異常監督與通報機制。
Network operation and security guidelines should be managed in a "principle prohibition, exception opening" manner, and access log recording and traffic anomaly monitoring and reporting mechanisms should be implemented.
