Overview

To help agencies reinforce cyber security defense measures, the National Information and Communication Security Taskforce (NICST) began conducting annual cyber security audits as the third-party from 2001. The audited agencies are provided with the suggestion to refine their cyber security measures. In addition, the common findings are compiled and provided as a reference for all government agencies' cyber security.

The cyber security audits

Since 2013, the NICST has conducted Cyber Offensive and Defensive Exercises (CODE) that help government discovering weaknesses in websites and systems, also familiarizing agencies with cyber security incident notice and response procedures. After completing audits and exercises, the NICST announced the suggestion through the annual governmental CISOs meetings and workshops, continuously strengthen agency cyber security defense.

The audits are conducted in two phases. The first phase consists of technical inspections, which are divided into eight major test items and focus on detecting weaknesses in the audited agencies’ core systems, computers, and databases. The second phase is the on-site audit, in which an NICST auditing team visits and inspects audited agencies. On-site audits include three aspects of strategy, management and technology, with a total of 11 audit items.

The Administration continuously abides by Cyber Security Management Act regulations and conducts cyber security audits on government agencies, helping them discover risks early to avoid possible threats. The Administration also continuously follows the Cyber Security Management Act’s hierarchical supervision and management mechanism, reinforcing competent authorities’ capacity to audit. Implement legal compliance items within agencies to maintain the overall environment for national cyber security development.

Cyber Offensive and Defensive Exercise

To enhance our government agencies’ cyber security defense and response abilities, Taiwan has held CODEs every year since 2013, including email social engineering and penetration test exercises. Email social engineering are simulate actual hacking methods, sending social engineering emails and text messages to test the subjects’ vigilance; penetration test exam the newest edition of Open Web Application Security Project (OWASP) top 10 weakness, discovering vulnerabilities in systems and integrating cyber security incident notice and response procedures to increase agencies’ cyber security defense ability and staff awareness. The NICST has conducted international CODEs since 2019. Rather than being based on simulated scenarios, the exercises are practical, inviting government cyber security talents in and outside Taiwan, to form teams that launch attacks against defense teams formed by Taiwanese experts, improving both sides’ cyber security skills and response ability.