iT邦幫忙

2018 iT 邦幫忙鐵人賽
DAY 22
2
Security

鯊魚咬電纜:30天玩Wireshark系列 第 27

[Bonus Day 19] 台灣資安管理法草案 Information Security Management Bill Introduction

隨著數位時代的進展,人的生活型態和社會樣貌也逐漸被改變,從早晨上班前打開報紙瞭解新聞,到今日打開手機上網瞭解臺灣和全球的時事,都離不開網路。甚至,我們每天上下班搭乘的捷運系統、用的電、喝的水和領的錢,也都靠網路跟資訊系統運作。

所以,網路跟資訊系統安全維運,已經逐漸變得跟水和電一樣重要。而前述這些會影響到國家和我們社會運作的基礎設施,稱為:「關鍵基礎設施」。其中,關鍵基礎設施所需的網路跟資訊系統安全維運則稱為:「關鍵資訊基礎設施」。
那我國「關鍵資訊基礎設施」有哪些呢?

一、「關鍵資訊基礎設施」的範疇與定義
根據新修「資安管理法草案」第二條定義「特定」關鍵資訊基礎設施,有包含政府、金融、電信、交通、水、能源(油、電等)、緊急醫療及科學園區(基礎設施,非廠商)等八項。

而由於這些「特定」關鍵資訊基礎設施,不只由政府營運,可能還包含民間的法人和企業,因為如果受到國家或組織型駭客攻擊,不僅會影響我們的日常生活,也會影響到社會和國家安全,所以也被納入資安管理和保護的範圍。

舉例來說,前(2016)年一銀所發生ATM盜領案及去(2017)年的遠東銀駭客盜匯案,如果沒有政府警檢調和資安團隊的協助,抓出駭侵源、追回贓款,而讓事件擴散跟擴大,或將產生提款擠兌現象,影響金融秩序安定,甚至危害國家安全。

所以行政院資安處在去(2017)年擬定「資安管理法草案」,送交立法院審議,希望法案通過能提高我們國家的「特定」關鍵資訊基礎設施的資訊安全,保護數位國家。

二、管理法的核心義含
這部法律,名稱之所以用「管理法」三個字,主要希望「特定」關鍵資訊基礎設施能夠以「管理資安風險為核心」,由不同的資安風險定出不同的責任等級(如草案第9條),建立事前預防、事中應變及事後的復原確保(稽核)和資訊分享機制。

  1. 強化事前預防方面,則著重組織管理層級及權責(如草案第10條建立資安長機制)、風險控制方法(如草案第10條建立政府機關向上呈報資通安全實施計畫)等。
  2. 提高事中應變能力面,則要求「特定」關鍵資訊基礎設施建立通報應變機制(如草案第13條及第17條),並可於通報當下,尋求中央目的主管機關及相關單位提供協助,提高資安事件的應變能力。
  3. 事後的復原確保(如稽核)等工作也必須在資通安全實施計畫載明並實行。

當然,如果發生重大資安事件,負責維運「特定」關鍵資訊基礎設施的政府、民間法人或公司,違背此管理法的要求,也有相關罰則;若是公務人員因為作為或不作為而有違此法,也要受到相關懲處。

希望立法院的立委諸公能盡快通過「資安管理法草案」,賦予「特定」關鍵資訊基礎設施維運者應承擔資安維運責任與義務,讓全民能享受更安全和便利的數位生活。

另外,如果想要看關鍵資訊基礎設施防護(CIIP)的參考資料,以下幾個連結也都是不錯的閱讀資料:

  1. 關鍵基礎設施資安防護:https://www.motc.gov.tw/uploaddowndoc?file=bussiness/201706151511090.pdf&filedisplay=4.%E9%97%9C%E9%8D%B5%E5%9F%BA%E7%A4%8E%E8%A8%AD%E6%96%BD%E8%B3%87%E5%AE%89%E9%98%B2%E8%AD%B7.pdf&flag=doc
  2. 國家關鍵資訊基礎設施防護-領域CERT、ISAC及SOC實務建置指引:https://www.nicst.ey.gov.tw/News_Content.aspx?n=626B7A2643794AB0&sms=C43ECA251722A365&s=D4B74DD1B759D083

The digital revolution has changed every aspect of our lives. We now read news on smartphones instead of newspapers; we greet people on social media more than we do in person; we pay bills online rather than handing in cash—we depend on the internet and information infrastructure for almost everything. Therefore, the security of Internet and information system that supports many of the society’s fundamental functions, called "Critical Information Infrastructure," has become essential in every country.

I. Definition of "Critical Information Infrastructure"

According to Taiwan’s “Cyber Security Management Bill” Article 2, "specific" critical information infrastructures are infrastructures of government, finance, telecommunications, transportation, water, energy, emergency medical care, and science parks. These "specific" critical information infrastructures include both public and private ones, given that an attack on such an infrastructure could have severe national security implications regardless of its ownership. The First Bank ATM robbery in 2016 and the Far East Bank theft in 2017 have showed that a failure to investigate and return the stolen assets in time could potentially cause bank run, disturb financial market, and even lead to national security crisis. Therefore, the Security Services Department of the Executive Yuan drafted and submitted the “Cyber Security Management Bill” to the Legislative Yuan in 2017, which is aimed to help enhance the security of Taiwan’s critical information infrastructure.

II. The content of the Cyber Security Management Bill

The purpose of "The Cyber Security Management Bill" is to "manage" security risks. It defines different levels of security risks and the government’s management responsibilities (Article 9), including prevention, emergency response, recovery, and information-sharing:

  1. With regard to prevention, the bill focuses on organizational management hierarchy (Article 10 creates a Chief Information Security Officer), as well as risk control measures (Article 10 establishes a reporting system in the government).

  2. With regard to resilience in the face of an attack, the bill sets up an instant response mechanism (Articles 13 and 17) and tasks the agencies responsible for governing the attacked infrastructures with responsibilities to assist.

  3. The incident recovery(such as audit) must be included in information security implementation plan and be carried out accordingly.

  4. Any violation of or failure to comply with the bill will be penalized.

In short, "The Cyber Security Management Bill" clarifies the responsibilities of owners and managers of critical information infrastructures in Taiwan. Once it is passed, it will help the government better manage risks associated with critical information infrastructure. We hope this legislation would be a good first step in building a safer and more convenient cyber environment.


上一篇
[Day 21] Wireshark動作太慢?來試試tshark吧
下一篇
[Bonus Day 20] 國際資安法:塔林手冊(一)
系列文
鯊魚咬電纜:30天玩Wireshark51

尚未有邦友留言

立即登入留言