Overview of Cyber Security Levels Overview of Cyber Security Levels
- Smartphones that acquired the previous version of the ESS Seal by means of the Infocom Security Technical Inspection Guidelines of Embedded Software on Smartphone Systems, announced by the National Communications Commission (NCC) on March 3, 2017 (no longer applicable since February 23, 2022)
In response to differing price considerations and cyber security needs of users when purchasing, the smartphone system embedded software cyber security certification was divided into three levels: low, medium, and high according to the aforementioned technical specification regulations announced by the NCC. A low-level certification indicates a smartphone has the capacity to protect sensitive information such as personal information and privacy; a medium-level certification indicates the device offers security measures to protect not only sensitive information but also the use, storage, and transmission of other information; a high-level certification means a smartphone has the capacity to prevent core, base-level information from being tampered with or inappropriately acquired. Applicants such as phone manufacturers could apply for the level of smartphone system embedded software cyber security testing and certification as needed according to the market positioning and cyber security capacity of phones.
The level of cyber security certification a phone has acquired can be confirmed by the owner by counting the number of stars on the ESS Certification Seal. For example, three stars on the seal indicate that the product attained high-level cyber security.
However, smartphones from different brands have varying number of system embedded software programs, which are also usually updated. Consequently, aside from noticing the ESS Certification Seal, consumers should visit the Smartphone System Embedded Software Cyber Security Test website to review the ESS certificate of a phone and download the software summary form to confirm that the version of each embedded software program shown in the phone matches so as to ensure that the ESS Certification Seal is valid.
- Smartphones that have obtained the new version of the ESS Seal by means of the Infocom Security Test Specifications for Embedded Software on Smartphone Systems, announced by the Taiwan Association of Information and Communication Standards (TAICS)
In light of the fact that new features are constantly being added to phones, to ensure the default security of consumer smartphones and respond to the different price considerations and cyber security needs of users, the NCC requested the TAICS to determine industry standards, announcing the "TS-0030 v1.1—Infocom Security Test Specifications for Embedded Software on Smartphone Systems" in January 2021. The smartphone system embedded software cyber security certification detailed in the regulations have been divided into three levels: one, two, and three, according to criteria such as protection of sensitive information, defense against malicious attacks, and prevention of core, base-level information from being tampered with or inappropriately acquired with higher levels equating to stronger security.
A level one certification indicates a smartphone has the capacity to protectively store sensitive information such as personal information, encrypt communications and transmissions, and check the permission of system features and embedded software, providing the user with a secure environment to prevent information from leaking. A level two certification shows a smartphone not only offers security measures to protect sensitive information but also prevents embedded software from transmitting information on its own, or becoming disabled or leaking information due to malicious attacks. Meanwhile, a level three certification indicates a smartphone has the capacity to prevent core, base-level information from being tampered with or inappropriately acquired; aside from all the level one and two security requirements, a level three certification also reviews security demands, trusted execution environment checks, phone integrity check mechanism of applications, and multi-factor or strong authentication for paid features detailed within the phone design security documents. Applicants such as phone manufacturers may plan and apply for the level of smartphone system embedded software cyber security testing and certification as needed according to the market positioning and cyber security capacity of the device.