Strengthening Information Security in the Digital Era: Overview of the Draft Amendment to the Information Security Law

        The Information Security Management Law (hereinafter referred to as the Information Security Law) was formulated and promulgated on June 6, 2018, and has been in effect since January 1, 2019. With the rapid development of information and communication technology, the threat of information security is also increasing. In order to strengthen the protection of information security, the Ministry of Digital Development has announced the amendment of the Information Security Law. What content is included in the revised draft? What impact will it bring to asset security management? This article takes you to learn first!

        Overview of the Draft Amendment to the Information Security Law

                The draft amendment to the Information Security Law mainly includes five key points:

        1. Adjustment of regulatory authorities and institutional strengthening

        The competent authority has been changed from the original Executive Yuan to the Digital Development Department, and the executing agency has been the Asset Security Administration. In addition to strengthening policy consistency, it can also increase horizontal communication and joint defense mechanisms to address increasingly complex asset security challenges.

        2. Government agencies are prohibited from using products that pose a threat to information security

        The draft not only stipulates that government agencies are not allowed to purchase or use products that pose a threat to information security, but also elevates this principle to the legal level. At the same time, in order to avoid using harmful products with hidden backdoors or Trojan programs, the official equipment used by government officials is also explicitly prohibited from downloading, installing, or using products that endanger information security, in order to further ensure security.

        3. Strengthen the security of government officials and introduce local joint defense measures

        In order to improve the level of information security in government agencies, the revised draft introduces a local joint defense and hierarchical supervision model. When the audit agency discovers deficiencies in the information security maintenance plan, in addition to submitting an improvement report to the agency, it is also necessary to report to the Information Security Administration.

        4. Strengthen the asset security management of specific non government agencies

        One of the most important changes in the draft is to require specific non government agencies (such as banks and telecommunications companies) to establish a Chief Information Security Officer and improve the level of information security governance. At the same time, relevant departments are granted the authority to conduct administrative investigations. When a major information security incident occurs, the situation and content of the handling should be announced, and a fine of NTD 100000 to 1 million should be imposed on any attempt to evade, obstruct or refuse administrative investigation. If there is a security incident involving the leakage of personal assets, it shall be handled in accordance with the Personal Assets Law to ensure the rights and interests of the parties involved.

        This measure is consistent with the recent requirement of the Stock Exchange to establish a chief asset security officer for publicly quoted entities, further highlighting that asset security management must be led by senior executives of the company. In addition, this time, the procedures and scope of administrative inspections will also be incorporated into the legal system to avoid the abuse of power by administrative agencies.

        5. Add a one whip system for government security personnel

        Government agencies should have dedicated information security personnel who meet the level of information security responsibility, and the Information Security Administration should be responsible for promoting functional training of information security personnel to respond to major information security incidents.

        The Digital Department stated that the scope of application of this amendment still mainly applies to public departments and specific non government agencies, including key infrastructure and public enterprises or specific corporate entities, and has not yet expanded to general enterprises. The spirit of amending the law lies in strengthening the asset security system of the public and private sectors through the legal system, establishing a foundation for joint governance of asset security, and improving the overall resilience of Taiwan's asset security.

        The Impact of the Amendment to the Asset Security Law

        The revision of the Information Security Law has a profound impact on the management of information security. Firstly, government agencies will have a clearer understanding of information security management and more flexible mechanisms. Furthermore, specific non government agencies need to strengthen asset security management and establish asset security chiefs, which will enhance the energy of corresponding institutions to respond to asset security challenges. After the introduction of local joint defense and hierarchical supervision models, asset security management is not only the responsibility of the central government, but also strengthens local participation, forming a comprehensive protection network, which can be said to be a major progress in asset security protection in the digital era.

        epilogue

        Last year, we introduced in our magazine the use of harpoon phishing emails to spread fake emails, as well as BEC fraud emails sent by fake executives to defraud funds, the security impact of supply chain management, and the new security challenges and risks brought about by generative AI. All of these highlighted the need for companies to continuously improve their security awareness and assist employees in establishing correct protection concepts. After all, the external environment is difficult to control, and only by preparing in advance and building team consensus can we, To turn crises into turning points and ensure the sustained growth and prosperity of enterprises. Although the scope of this revision of the Asset Security Law has not expanded to general enterprises, it still demonstrates the government's attention to the threat of asset security and provides a more comprehensive regulatory foundation. We hope to establish a stronger asset security defense line through the joint efforts of the whole nation and meet the challenges of the digital age in the future.

        *Image source: Freepik

        #