CII

Critical Information Infrastructure: CII

Under Section 49 of the Cybdrsecurity Act, the NCSC has the authority to ets out general cybersecurity policies and action plans as well as minimum standards for computer systems used in both government agencies and CII entities in the following services;

National security;
Material public service;
Banking and finance;
Information technology and telecommunications;
Transportation and logistics;
Energy and public utilities;
Public health; and
Other areas that may be further prescribed by the relevant cybersecurity authority.

Under the Cybersecurity Act, these companies must put in place internal guidelines for managing cybersecurity issues, as follows:

  1. Identify significant processes
  2. analyze the situation and evaluate the effect from denial-of-service attack
  3. Evaluate an acceptable out-of-service duration
  4. Determine significant processes and Information asset identification
  5. Identify Critical Information Infrastructure

Sections in the Cybersecurity Act 2019

Protection

Section 43

  • The Committee shall prepare a policy and plan for Maintaining Cybersecurity in accordance with section 42 to propose to the Cabinet for approval, which shall be published in the Government Gazette. Once published, Government Agencies, Supervising or Regulating Organizations, and Organizations of Critical Information Infrastructure as determined in the plan on Maintaining Cybersecurity shall take action to be in accordance with such policy and plan.

    In preparing the policy and plan under paragraph one, the Office shall hold a hearing or meeting with the Government Agency, Supervising or Regulating Organization, and Organization of Critical Information Infrastructure.

Section 44

  • The Government Agency, Supervising or Regulating Organization, and Organization of Critical Information Infrastructure shall prepare a Code of Practice and standard framework for Maintaining Cybersecurity of each organization in accordance with the policy and plan on Maintaining Cybersecurity without delay.

    The Code of Practice for Maintaining Cybersecurity under paragraph one, at least, shall consist of the following:
    (1) the plan for examining and assessing risks related to Maintaining Cybersecurity by an examiner, internal auditor, or independent external auditor, at least once per year;
    (2) the plan for coping with Cyber Threats.
    For the benefit of preparing the Code of Practice for Maintaining Cybersecurity in paragraph one, the Office, upon the approval of the Committee, shall prepare a Code of Practice and standard framework for the Government Agency, Supervising or Regulating Organization, or Organization of Critical Information Infrastructure to use as a guideline to prepare or exercise as a Code of Practice of the Government Agency, Supervising or Regulating Organization, or Organization of Critical Information Infrastructure. In case such organizations do not yet have or have but incomplete or is not in accordance with the Code of Practice and standard framework, such Code of Practice and standard framework shall be enforced.

Section 45

  • The Government Agency, Supervising or Regulating Organization, and Organization of Critical Information Infrastructure have a duty to prevent, cope with, and mitigate risks from Cyber Threats in accordance with the Code of Practice and standard framework for Maintaining Cybersecurity of each organization and shall act in order to be in compliance with the Code of Practice and standard framework for Maintaining Cybersecurity in accordance with section 13 paragraph one (4).
    In case the Government Agency, Supervising or Regulating Organization, or Organization of Critical Information Infrastructure could not act or comply in accordance with paragraph one, the Office may grant assistance in the personnel or technological aspects to such organization as requested.

Section 46

  • For the benefit of Maintaining Cybersecurity, the Government Agency, Supervising or Regulating Organization, and Organization of Critical Information Infrastructure shall notify the name of executive officials and operational officials for the coordination of Maintaining Cybersecurity to the Office.
    In the event there is a change to the officials under paragraph one, the Government Agency, Supervising or Regulating Organization, and Organization of Critical Information Infrastructure shall notify the Office without delay.

Section 52

  • For the benefit of coordination, the Organization of Critical Information Infrastructure shall notify the name and contact information of the owner, the person possessing the computer, and the person monitoring the computer system to the Office, its Supervising or Regulating Organization, and the organization under section 50, within thirty days from the date the Committee prescribes the notification in accordance with section 49 paragraph two and section 50 paragraph two, or from the date the Committee issues a final judgement in accordance with section 51, as the case may be; the owner, the person possessing the computer, and the person monitoring the computer system shall at least be a person responsible for the management of such Organization of Critical Information Infrastructure.
    In case there is any change to the owner, the person possessing the computer and the person monitoring the computer system in accordance with paragraph one, notice of change to the relevant organizations under paragraph one shall be given not less than seven days in advance, unless there is reasonable cause which is inevitable, it shall be notified without delay.

Section 54

  • The Organization of Critical Information Infrastructure shall conduct risk assessment on Maintaining Cybersecurity by having an examiner, including examination in the cybersecurity aspect by the information security auditor, internal auditor or external independent auditor, at least once per year.
    The Organization of Critical Information Infrastructure shall submit a summary report of the operation result to the Office within thirty days after the operation has been finished.

Coping

Section 56

  • The Organization of Critical Information Infrastructure shall establish a mechanism or process to monitor Cyber Threats or Cybersecurity Incidents which relates to its Critical Information Infrastructure in accordance with the standards as determined by the Supervising or Regulating Organization and in accordance with Code of Practice, including the system of Cybersecurity Solution as determined by the Committee or the CRC, and shall participate in the assessment on the readiness in coping with Cyber Threats as held by the Office.

Section 57

  • In the event of a Cyber Threat significantly occurring to the system of the Organization of Critical Information Infrastructure, the Organization of Critical Information Infrastructure shall report to the Office and the Supervising or Regulating Organization and cope with the Cyber Threats as prescribed in Part 4, the CRC may prescribe criteria and method of the reporting.

Section 58

  • In the case there is or may be a Cyber Threat to an information system that is under the responsibility of a Government Agency or an Organization of Critical Information Infrastructure, such organization shall examine its related information, computer data, and the computer system, including the surrounding circumstances to assess whether a Cyber Threat has occurred. If the examination results show that there is or may be a Cyber Threat, the organization shall prevent, cope with, and mitigate the risks from such Cyber Threat in accordance with the Code of Practice and standard framework in Maintaining Cybersecurity and shall notify the Office and its Supervising or Regulating Organization without delay.
    In case the agency or organization, or any person, finds an obstacle or issues in preventing, coping with, or mitigating the risks from a Cyber Threat, such agency, or organization or person may request assistance from the Office.