Cyber Security Exercises and Audits
Overview
To help agencies reinforce their cyber security defense measures, the National Information and Communication Security Taskforce (NICST) began conducting annual cyber security audits as third-party audits in 2001. Audited agencies receive suggestions to refine their cyber security measures. Additionally, common findings are compiled and provided as reference points for all government agencies' cyber security efforts.
The cyber security audits
The NICST has conducted annual audits since 2001. After completing these audits, the NICST announces suggestions through annual governmental Chief Information Security Officers (CISOs) meetings and workshops, continuously strengthening agency cyber security defenses.
The audits are conducted in two phases. The first phase consists of technical inspections, divided into eight major test items that focus on detecting weaknesses in the audited agencies’ core systems, computers, and databases. The second phase is the on-site audit, during which a NICST auditing team visits and inspects the audited agencies. On-site audits cover 3 aspects: strategy, management, and technology, with a total of 9 audit items.
The Administration consistently adheres to the Cyber Security Management Act regulations and conducts cyber security audits on government agencies, helping them identify risks early to mitigate potential threats. The Administration also consistently follows the Cyber Security Management Act’s hierarchical supervision and management mechanism, reinforcing competent authorities' auditing capabilities. It implements legal compliance measures within agencies to maintain an overall environment conducive to national cyber security development.
Cyber security Exercise
To enhance our government agencies’ cyber security defense and response abilities, Taiwan has held domestic cyber security exercises every year since 2013, including email social engineering and penetration test exercises. Email social engineering simulates actual hacking methods by sending social engineering emails and text messages to test subjects’ vigilance. Penetration tests examine the newest edition of Open Web Application Security Project (OWASP) top 10 weaknesses, discovering vulnerabilities in systems and integrating cyber security incident notice and response procedures to increase agencies’ cyber security defense abilities and staff awareness. In Taiwan, the Cyber Offensive and Defensive Exercise (CODE) — an extended engagement with varying simulations and drills — is hosted every two years by the NICST of the Executive Yuan. We invite experts from domestic and international government agencies to participate in the exercise, engaging in exchanges and jointly improving the required specialized skills and responsive competencies.